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1. Introduction 


Cellebrite UFED is made up of a number of components: 

» Cellebrite UFED (Touch and 4PC) and Cellebrite Responder enables logical, password, 
SIM, file system, and physical extractions from mobile devices, which can then be saved 
to a USB flash drive, SD memory card, or directly to your PC. 

» Extractions from cloud-based data sources. Cloud data sources refers to services 
provided to consumers over the Internet. 

» Cellebrite Pathfinder enables you to immediately identify the links between persons of 
interest and pinpoint the connections and communication methods used between 
multiple devices, based on reports generated from physical, logical, and file system 
extractions. 

» The Physical Analyzer application provides an in-depth view of the device's memory using 
advanced decoding, analysis, and reports. Physical Analyzer can decode all types of 
extractions created by UFED. 

» The Logical Analyzer application reads UFED files (UFED dump files *.ufd) and UFED 
report (*.xml files created as part of the logical extraction. 

» The Phone Detective application helps investigators quickly identify a mobile phone by its 
physical attributes, eliminating the need to start the device and the risk of device lock. 


The UFED work flow consists of two steps: 


» Extraction - Physical, file system, logical, password, SIM card extraction using UFED. 


» Decoding, analysis, and reporting using Physical Analyzer or Logical Analyzer. 


This manual ts for both Physical Analyzer and Logical Analyzer. Logical 
Analyzer includes a small fragment of the Physical Analyzer capabilities. 
Features that are only applicable to Physical Analyzer are indicated. If you 
upgrade from a logical license to an ultimate license, the software will be 
upgraded to Physical Analyzer. 


This manual also describes the UFED Cloud extraction feature. UFED 
Cloud assists law enforcement agencies and enterprises to enhance their 
investigations by extracting and displaying information from cloud-based 
data sources. To use UFED Cloud within Physical Analyzer, a separate 
license In required. 


1.1. Physical extraction 


When performing a physical extraction, UFED uses advanced extraction methods to create a 
single Hex extraction file for each flash memory chip, or address range utilized by the mobile 
device. Unlike logical extraction processes, the method of the physical extraction is to 
bypass the device's operating system, and to acquire the data directly from the device's 
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internal flash memory. The device memory is captured into Hex extraction file(s) that are 
later read and decoded using Physical Analyzer. 


The created physical extraction includes memory space unallocated by the device’s OS which 
may contain deleted data such as Instant messages, call logs, phonebook entries, pictures, 
videos, and user passwords. 


Physical extraction provides a bit-by-bit copy of the entire flash memory of a mobile device. 

Decoding of physical extractions not only enables the acquisition of intact data, but also data 

that is hidden or has been deleted. Deleted data can be recovered from files and unallocated 
1 

Space!. 


Physical Analyzer provides advanced carving algorithms, by recovering SQLite records to 
reveal additional deleted data from unallocated space. The amount of deleted data varies 
depending on the data on the device. The decoded data is displayed in the same lists as the 
analyzed data. For example, deleted Instant messages from unallocated space are displayed 
in the same list as the Instant messages. 


Data carving from unallocated space provides the following benefits: 


» Best and quickest solution for uncovering deleted data on the market. 
» Reveal additional deleted data in less time. 
» Reveal deleted data that was not available previously. 


» Reveal higher quality data - both false positives and duplicates are automatically 
removed. 


>» Automatic activation: There is no need for manual activation. 


» Various content types supported such as: Instant messages, Calls, Contacts, Emails, and 
application data2. 


» Same view: Ability to arrange all data, including data decoded from unallocated space, in 
the same views and with timelines. 


1.2. Data analysis 


Physical Analyzer enables the investigator to perform in-depth analysis of the extracted data 
and generate reports. 


Physical Analyzer has the following key features: 


» Decoding of the extraction with a layered view of memory content 


Unallocated space is clusters of a media partition that is not in use for storing active files. It may contain 
pieces of files that were deleted from the file partition but not removed from the physical disk. 


Application data such as: Kik, WhatsApp, Facebook, Facebook Messenger, Twitter etc. 


» Provides a detailed view of the Hex file 
» Reconstructs the device file system 


» Decodes various Analyzed data types such as: Contact lists, Instant messages, call logs, 
device information (IMSI, ICCID, user codes), application information, and more 


» Provides a view of data files - images, videos, databases, and so on 
» Provides access to both current and deleted data 
» Reveals device passwords (when applicable] 


» Machine learning algorithm that automatically categorizes all images in a case to help 
quickly single out places, faces, and objects to help find connections faster. 


» Powerful extraction for IOS and GPS devices 
» Intuitive and user friendly UI for browsing the extracted information 
» Powerful analysis and search tools 

» Instant search for all project content 

» Advanced search based on multiple parameters 

» Instant search for data tables content 


» Watch lists for automatic highlighting of information based on a predefined list 
keywords 


» Timeline for viewing all the events performed via the mobile device in a single 
chronological view 


>» Malware scanner identifies malware in the device 
» Search the Hex by various parameters such as strings, bytes, numbers, dates 
» Ability to use regular expression search (RegEx) to look for specific data strings 
» Tag memory locations for indexing of key areas for later review 
» Use Python shell commands for data analysis 
» Plug-ins 
» Add or remove plug-ins 
» Write your own plug-ins using Python scripting language 
» Manage chains 


» Generates customizable reports (logo, header, etc.) in multiple formats 
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2. Installation and activation 


This section describes the installation and activation process of Physical Analyzer on your 


PC. 


2.1. System requirements 


Operating System 


Windows compatible PC with Intel i5 or compatible 


4 cores 


Microsoft Windows 10, 64-bit 
Microsoft Windows 8.x, 64-bit 


Memory (RAM) 1 


Space 
requirements 


Graphics 


Processing Units 


{Recommended} 


Additional 
Requirements 


Permissions 


500 GB of free disk space for installation and highlights database 


SSD recommended 


NVIDIA® GPU card with CUDA© compute capability 3.5 or higher). 
See the list of CUDA-enabled GPU cards. 


*The GPU is recommended to boost the speed of processing the 
CSA category in the Media classification engine. 


Microsoft .Net version 4.6.2 


Windows Media Player [default version for installed OS or higher) to 
use the Capture tool and play video playback. 


If you intend to activate the application using a hardware license key 
(dongle) provided by Cellebrite, you must have administrative rights 
over the computer. 


2.2. Installing the application 


Before you begin, ensure that USB3 Host-to-Host cable is not attached to 


your computer. 


PA setup includes an exe file and additional BIN files. 


1. Double-click the Cellebrite_Physical_Analyzer_lversion number].exe file. 


Select Setup Language x 
Select the language to use during the 
xy installation: 
English v 
[ox] canc 


2. Select the desired language and click OK to continue. The following window appears. 


E] Setup - Cellebrite Physical Analyzer _ x 


Welcome to the Cellebrite Physical 
l m ) Analyzer Setup Wizard 


This will install Cellebrite Physical Analyzer 7.34.18 on your 
computer. 
Celebrit 
o It is recommended that you close all other applications before 


PHYSICAL = 
ANALYZER continuing. 


Click Next to continue, or Cancel to exit Setup. 


i? Cellebrite 


3. Click Next. The following window appears. 
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f@ Setup - Cellebrite Physical Analyzer E x 


License Agreement 
Please read the following important information before continuing. 


Please read the following License Agreement. You must accept the terms of this 
agreement before continuing with the installation. 


‘TANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. <A 
WNLOADING, INSTALLING, ACCESSING OR USING CELLEBRITE-SUPPLIED 
SOFTWARE (AS PART OF A PRODUCT OR STANDALONE) CONSTITUTES EXPRESS 
\CCEPTANCE OF THIS AGREEMENT. 


TS WILLING TO LICENSE SOFTWARE TO YOU ONLY IF YOU ACCEPT 
CELLEBRITE, AND ANY “CLICK-ACCEPT” AGREEMENT, AS APPLICABLE. TO 


EXTENT OF ANY CONFLICT AMONG THIS EULA, ANY ADDITIONAL TERMS IN 
AN AGREEMENT SIGNED BY BUYER AND CELLEBRITE, ANY “CLICK-ACCEPT” a 


@ accept the agreement 
OI do not accept the agreement 


ma [Crem] [ene 


4. Read the agreement, select | accept the agreement and then click Next. The following 
window appears. 


f@ Setup - Cellebrite Physical Analyzer a x 


Select Destination Location 
Where should Cellebrite Physical Analyzer be installed? 


l Setup will install Cellebrite Physical Analyzer into the following folder. 


To continue, click Next. If you would like to select a different folder, click Browse. 


At least 5,765.5 MB of free disk space is required. 


cea Crea] [coe 


5. Click Next or if desired click Browse and set a different installation folder. The following 
window appears. 


f@ Setup - Cellebrite Physical Analyzer — x 


Install the Cloud data extraction feature 


Extract, preserve and analyze public and private-domain, social-media, 
instant messaging and other doud-based content using a forensically sound 


Would you like to install the doud data extraction capability? 
It increases installation time but enables you to extract, preserve and analyze public 
and private-domain coud-based content. 


@ Yes 
O No 


<Back | Next> | | Cancel 


6. Select Yes to install the public data capability to enrich your examinations with public 
social media and cloud-based data. Internet access is required for this capability. If this 
capability is not required select No. The following window appears. 


f@ Setup - Cellebrite Physical Analyzer — x 


Select Additional Tasks 
Which additional tasks should be performed? 


Select the additional tasks you would like Setup to perform while installing Cellebrite 
Physical Analyzer, then dick Next. 


Additional shortcuts: 
Create a desktop shortcut 


<Back | Next> | | Cancel 


7. Ifyou do not want a desktop icon, clear the Create a desktop icon check box, and then 
click Next. The following window appears. 
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8. 


& Setup - Cellebrite Physical Analyzer — x 


Ready to Install 


Setup is now ready to begin installing Cellebrite Physical Analyzer on your 


computer. 


Click Install to continue with the installation, or click Back if you want to review or 


change any settings. 


Destination location: 


Additional tasks: 
Additional shortcuts: 


C:\Program Files\Cellebrite Mobile Synchronization \UFED Physical Analyzer 


Create a desktop shortcut 


<Back | _ Instal | | Cancel 


Click Install. The installation begins. 


As part of the installation process, you may be prompted to download 
and install Microsoft .NET Framework. This is part of the installation 
and requires that your computer has Internet access. 


fE) Setup - Cellebrite Physical Analyzer — 


M 


Celledrite 


PHYSICAL 
ANALYZER 


2.2 Cellebrite 


Completing the Cellebrite Physical 
Analyzer Setup Wizard 


Setup has finished installing Cellebrite Physical Analyzer on 
your computer. The application may be launched by selecting 
the installed shortcuts. 


Click Finish to exit Setup. 


Launch Cellebrite Physical Analyzer 
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9. If you intend to activate the application using a hardware license key [dongle] provided by 
Cellebrite, select Install Hasp Dongle Drivers. 


You must have administrative rights to install the HASP dongle drivers. 


10. To start the application at the end of the installation, select Launch Physical Analyzer. 
11. Click Finish. 
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2.2.1. Silent installation 


>» For version 7.39 and newer installations, the .exe will include additional .bin files. 


o Cellebrite_Physical_Analyzer.exe 


M Cellebrite_Physical_Analyzer-1.bin 


ül Cellebrite_Physical_Analyzer-2.bin 


Running this silently can be done by using the following parameters: 
“Cellebrite_Physical_Analyzer.exe” /verysilent /dir= (folderpath) /log=(folderpath) 


» For version 7.38 and older installations, all of the files are consolidated into a single .exe 
file. 


ò Cellebrite_Physical_Analyzer_7.38.0.51.exe 


Running these executables silently can be done with these parameters: 
“Cellebrite_Physical_Analyzer_7.38.0.51.exe” -sp /log=path /dir=path /verysilent 


Other Parameters: 


1. Offline Maps: The tileserver component of Physical Analyzer will be installed if it hasn't 
been installed yet and/or if nodejs isn’t installed, the option to control the installation of it 
is not exposed in CLI. 


2. Cloud Extraction: The parameter for skipping the Cloud extraction module is as follows: 
/CloudInstalled=1 

Default installation log locations: 

1. Windows temp folder: 
C:\Users\[localuser]\AppData\Local\Temp\Setup Log 2020-10-15.txt 

2. There is also a log created in the directory where the .exe is being launched from: 
PA-setup.log 


The default log path can be changed by adding the /log= (folder path) as a parameter [as 
shown above}. 


23 


Validating Installation: 


1. The log file is approximately 9MB when complete. 


2. |t taked approximately 10 minutes for the installation to complete when performing an 
upgrade. It may be a few minutes longer for a fresh install since it is also installing the 
HASP Dongle drivers, offline maps tile server, etc. 


3. For fresh installations, a restart of Windows is required at the end of the installation in 
order to ensure Dongle HASP drivers are full initialized. Restarts are not automatically 
triggered. 


2.3. Activating the license 


Activate Physical Analyzer in one of the following ways: 


» Using a dongle license (on the facing page) 
» Using a network dongle license (on page 27) 


Check your kit to make sure which method you should use. 


2.3.1. New version notification 


Cellebrite will inform you when a newer version of your software is available. If you are 
connected to the internet you will receive this notification when the new version is available. 
If you are not connected to the internet the notification will appear every 3 months. 
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2.3.2. Using a dongle license 


Use the Cellebrite UFED dongle provided with your Cellebrite UFED kit. The dongle contains 


licenses for all the applications purchased. 


To use Physical Analyzer with a dongle: 


1. 
2: 


3. 


Go to community.cellebrite.com and log in with your credentials [or create an account). 
Go to Products & Licenses > Register Device and enter a name for the device, the serial 


number and Dongle ID as displayed on the dongle. 


Register New Device 


Click Load licen. 


and upload the licens. 


Click Next. The following window appears. 
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Device Registration completed 


Download License 


Register UFED Product / Dongle” 


Serisi number * 


brite Portal 
D product/dongle. 


— 
( Done ) Register Another Device 
—————— 


4. Click Download License from the Device Registration Completed window to download the 
license key [or click See licenses in the Products tab and then from the menu on the right 
select Download license). 


Download and install the Physical Analyzer application. 


Start the Cellebrite UFED application and connect the dongle to a USB port on your 
computer. The following window appears. 


Cellebrite product license 


To start working with UFED, registration of your UFED license dongle on MyCellebrite is required (make sure you have an internet connection): 
1. Go to https://community.cellebrite.com 
2. Create a new account or sign in using your existing account credentials. 
3. Under ‘Products & licenses’ tab, click ‘Register device’. 
4. Download the license file and upload it by clicking the “Load license file” link below. 


Dongle serial: 8668 2 Copy 
Dongle ID: cl Copy 
Dongle Type: Max 


Load license file 


© Help =) Sales 


7. Inthe Cellebrite product license window, click Load license file and upload the license 
key. 


Congratulations, your Physical Analyzer application is now ready! 
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2.3.3. Using a network dongle license 


The network dongle is connected to your organization’s network and 
contains licenses for all the applications purchased. 


To use Cellebrite applications with a network dongle: 


1. Start the application. If the network dongle is connected to the network, the application 
starts and the user can start working immediately. 


If the network dongle is not recognized, the Cellebrite Product Licensing window appears. 


wae a 
T Cellebrite Product Licensing x 
License source io 
Dongle license details Export C2V file 
Update dongle license 
Dongle not found. To use the product with a dongle license, plug in the dongle to your computer. 
Show dongle log 
Software license details Load license file 
ComputerID;  LC5-EBZ-LWQ-6RH-VNV-7WQ-VVW Copy 
© Help VF Renew Close 


2. Click Network. The following window appears. 


Gee 
x 


> Cellebrite Product Licensing 


License source Network 


Network dongle license details Refresh 


>} Network dongle not found. Check your computer's network connection and refresh. 
Configure 


Show dongle log 


@ Hew © Renew Cose 


If a dongle was not found on the network - make sure that you have an 
Internet connection and that a dongle is connected to the network. 
Then click Refresh to search for a network dongle again. 


By default, the network configuration is set to Broadcast. If required, 
you can manually connect to the network dongle. Click Configure to 
change the network configuration to Specific host. Enter the host name 
(or IP address). 
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If there is only one network dongle it will be selected automatically. If 
there are multiple network dongles, select the required dongle from 


the list and click Apply. 


Congratulations, your application is now ready! 
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3. Scanning for malware 


Run malware detection on your extraction to search for malware. 


When you scan for malware, Physical Analyzer uses the last-used signature database. If this 


is the first time you are using the malware scanner, or if you want to update the database 


before you scan, follow the steps in Updating the signature database [online] (on the next 
page). If you are working on a computer without an internet connection, follow the steps in 


Updating the signature database from file (offline) [on page 31). 


1. Select Tools > Malware scanner > Scan Malware. The following window appears. 


@ Malware scanner x 


Bitdefender 


Powered by BitDefender 
File systems: 
efs (ExtX) 
persist (ExtX) 
system (ExtX) 
cache (ExtX) 
hidden (ExtX) 
userdata (ExtX) 
NO NAME 
Google Drive Files kat.cheme1610@gmail.com 


The definitions database was last updated on: 2/11/2020 12:38 PM 


2. Select the file system(s] that you want to scan, and click Scan. 


Physical Analyzer scans the project for malware. The results are displayed under the 


Malware scanner tree item. 


3. Double-click the Malware scanner tree item to open a data display tab. 


The data shown includes the malware type and malware information, such as the name. 


» To include the results in a report, select Infected Files in the Report Dataset area. For 


more information, see Generating a report (on page 257). 
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3.1. Updating the signature database [online] 


Update the signature database before the first time you use the malware scanner in order to 
populate the database, and thereafter in order to keep the signature database up to date. 


Once the signature database is populated, you can run the malware 
scanner using the existing database. It is strongly recommended that you 


update the signature database on a regular basis in order to keep it 
current. 


1. In the Tools menu, select Malware scanner > Update signature database. The following 
window appears. 


Update from web 
Click "Update from web" if you are connected to the Internet Update from web 


Update from file 
Click "Update from file" after you downloaded the signature database. 


A x i Update from fil 
For more information, click here paate trom tile 


Installation progress 
l 


2. Click Update from web. The database is populated. 


Update from web 
Click "Update from web" if you are connected to the Internet 


Update from file 


Click "Update from file" after you downloaded the signature database. 
For more information, click here 


Installation progress 


5% (98864875 bytes remaining) 


Downloading file: emalware.196 


3. Upon completion, click Close. You can now scan the project for malware. 
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3.2. Updating the signature database from file [offline] 


Update the signature database from file when you are working on a computer that does not 
have an internet connection. 


Once the signature database is populated, you can run the malware 
scanner using the existing database. It is strongly recommended that you 


update the signature database on a regular basis in order to keep it 
current. 


1. In Windows Explorer, in the main Physical Analyzer directory, copy the 
BitDefenderUpdater directory to an external storage device. 

2. Transfer the BitDefenderUpdater directory to a computer that has internet connection 
without proxy settings. 

3. In the BitDefenderUpdater directory, double-click Malware Definitions Downloader.exe. 


Ready to download malware definitions. 


There are new malware definitions. Click Download to start downloading the definitions. 
They will be stored in the same location as the Downloader. 


Select the computer operating system on which the UFED Physical Analyzer is installed: 
© 32 Bit 
© 64 Bit 


4. Select the computer operating system of the computer on which Physical Analyzer is 
installed. 
5. Click Download. The following window appears. 


Download completed successfully! 
Copy the definitions file to a storage device (if it's not already on one), connect it back to the computer 
running Physical Analyzer and continue there. 


Open containing folder 


6. Click Open containing folder. 
7. Copy the definitions.msd file to an external storage device, and transfer it to the computer 
on which Physical Analyzer is installed. 
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8. Click Close to close the Malware Definitions Downloader. 


To streamline your workflow and save time, It is recommended that you 
always use the same computer to download the definitions.msd file. 
When you download the definitions.msd file to this computer in the 


future, the Malware Definitions Downloader updates the file instead of 
downloading the entire file. Make sure that you do not delete the 
definitions.msd file from this computer. 


9. In Physical Analyzer, select Tools > Malware scanner > Update signature database. The 
following window appears. 


Update from web 


Click "Update from web” if you are connected to the Internet Update from web 


Update from file 


Click "Update from file" after you downloaded the signature database. 


x s 5 Update from fil 
For more information, click here pdate from tile 


Installation progress 
l 


10. Click Update from file. The Open file window appears. 
11. Browse to the malware definitions database file (*.msd], and click Open. 
12. Click Start. The database is populated. 


Update from web 
Click "Update from web" if you are connected to the Internet 


Update from file 


Click "Update from file" after you downloaded the signature database. 
For more information, click here 


Installation progress 


5% (98864875 bytes remaining) 


Downloading file: emalware.196 


13. Upon completion, click Close. You can now scan the project for malware. 
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4. Getting started 


Physical Analyzer provides powerful decoding and analysis tools for the extracted device 
data, and simplifies the task of navigating through the device's data structures. Physical 
Analyzer assists you in the complex tasks of intelligence gathering, investigative research, 
and providing legal evidence in the form of reports. 


The application is designed to utilize the memory extracted by UFED and present the 
device's Hex extraction, file system and analyzed data in a clear and concise way, allowing 
investigators to use powerful search tools to reveal relevant information. 


As a completing step, the application enables you to generate reports of your findings in 
various file formats, such as HTML, PDF, Excel (*.xlsx], and XML. 


To learn more about performing extractions on cloud based data sources see, Cloud 


extractions [on page 208). 


4.1. Starting Physical Analyzer 


To start Physical Analyzer, do one of the following: 
» Double-click the Physical Analyzer desktop shortcut. 
» Select Start > Programs > Cellebrite Mobile Synchronization > Physical Analyzer. 


For an overview of the workspace, see Orientation to the workspace [on page 81). 


4.2. Opening an extraction for analysis 


Physical Analyzer can open files created by the UFED device, XML files created by the 
Physical Analyzer, UFDR files, UFD files, and URP files. In Advanced mode, it can open image 
and other files. For more information, see Open (Advanced) [on page 42). 


5) If the device data was extracted to a removable drive, connect the USB 
flash drive or SD card containing the extracted data to your PC. 


For faster processing, copy the extraction folder from the removable 
media to the PC. 


For information on opening an extraction using the case wizard, see Using the case wizard 
[on the next page). 
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4.3. Using the case wizard 


A case wizard leads you through the steps to start your investigation in Physical Analyzer, 
and load all related evidence for decoding and examination. 


The case wizard enables you to create a new case, with relevant case information and upload 
multiple extractions {or other evidence). You can also merge extractions and examine hash 
sets, carve locations, and activate Watch lists. You can eliminate the time-consuming tasks 
of reviewing and correlating multiple extractions with the power of Text and Media analytics. 


Tools Cloud Extrac >ython Plug-ins 


F Open case... 


A Recent > Welcome Learn m 
Home 
Add extraction to > 
Q Add external file 
Save as UFDX > 
A, Close tabs > 
Puna Close current tab Ctrl+F4 
Close Ctrl+w 2 
i9205 Samsung Galax... 
= lal Save project session Android ADB ] 
Load project session re 
e = PM +03:00 
Ya Exit PM +03:00 


-_— i wrnusersysnosnanahs\Documents\UFED... 


32 GB of RAM is recommended to use both Physical Analyzer and 
Cellebrite Pathfinder on the same computer. The minimum is 16 GB of 
RAM. 


A GPU is recommended. 


The case wizard steps are as follows: 


» Loading evidence (on page 36) 


» Examination tools [on page 69) 
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4.3.1. Starting the case wizard 


To start the case wizard: 
1. From the application menu, select File > Open case. 
Or do one of the following: 


>» Inthe Welcome tab, click on a recent file. 


» Drag-and-drop the UFD file into Physical Analyzer. 
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4.3.2. Loading evidence 


In this step, you can select multiple extractions to decode and examine in a single step. All 
extractions will be merged under a single project or device. 


This first step is mandatory. You can skip the other steps by clicking 


Examine data to initiate the decoding process. 


Loading extractions is described next. 
For information on loading other types of evidence, see the following topics: 


Warrant returns (on page 40) 


GrayKey [on page 41) 
Open (Advanced) [on page 42) 
Common sources [on page 56) 


Case wizard =] 
Open case Help Load evidence 
Select the extractions 
Load evidence ES 
E X EvidenceCollecti Rer 
Examination tools ml) ARREN = 


ake 


Merge device? 


© Open the extraction as a separate project 
Add the extraction to: Samsung GSM_SM-G955FD Galaxy S8+ Rene Gade 


This window provides the following functionality: 


Add an extraction. 


Upload a password list [a dictionary file of all known passwords) 


before decoding. See Using password lists: (on page 38) 


+ Add password list 
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Select a color to represent the person. 


Rename the device. 


Remove extractions. 


37 


To load evidence: 
1. Select Add > Load extraction and select the extraction to add. The following file formats 
are supported: 
» UFDX collection (*.ufdx) 
» UFED dump (*.ufd) 
» Binary files [*.bin). Raw binary files or any Hex extraction generated by another 
application using the advanced opening feature. See Open [Advanced] [on page 42). 
» Nokia PM (*.pm) 
» BlackBerry backup file (*.ipd, *.bbb) 
» Sony Ericsson GDFS (*.gdfs, *.bin] 
» TomTom CFG [*.cfg) 
» UFED report (*.xml) 
» E01 (*.e01) 
» UFED Report Package [*.ufdr] 
» Report Manager [*.urp, *.ucp) - UFED Report Pack/UFED Content Pack reports created 
by Report Manager 
» Cellebrite Responder package [*.zip) 


2. Browse to the location of the extracted device data folder and open it. 


3. Click Next to go to the Examination tools [on page 69) step. 


If an extraction is already open, you can select to merge this extraction 
with the exciting person or open the extraction as a separate project. 


Merge device? 


© Open the extraction as a separate project 
Add the extraction to: WirellessNetwork 


Using password lists: 


Some encrypted apps and sources may require a password to enable decryption/decoding. In 
these cases, you are required to enter the correct password to successfully decode the data. 


By adding a password list {a dictionary file of all known passwords], you can set the 
passwords while creating a case to prevent interruptions while the data is being decoded. 


1. In the case wizard, click Add password list. 
2. Click Load password list to add a .txt or .csv file containing the list of passwords. 
3. Enter the IMEI number to decrypt WeChat application data [optional]. 
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4. Click Ok. 


Case wizard 


Open case 


Load evidence 


Examination tools 


Add password list 

A password is required to decode data from apps that are password encrypted. 

By adding a password list before decoding, a dictionary file of all known passwords will allow the decoding process to complet 
* Supported file format: txt or csv format containing a list of passwords, each on a separate line. 

A password list can contain a maximum of 10,000 passwords. Additional decoding time is required for long password lists. 


Password list 


+ Load password list 


IMEI (optional) 


Insert device IMEI number (without space or dashs) to decrypt WeChat application data. 


IMEI 


Cancel 
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4.3.2.1. Warrant returns 


Decodes warrant return packages from the following service providers: 


»> 
> 
>> 
» 
» 
»> 
>> 


Apple iCloud: Decodes data from iCloud backups received from Apple as evidence. 
Instagram: Decodes Instagram Warrant return files. 

Facebook: Decodes Facebook Warrant return files. 

Google: Decodes Google Warrant return files. 

Snapchat:Decodes Snapchat Warrant return files. 

Discord: Decodes Discord Warrant return files. 

TextNow: Decodes TextNow warrant return files. 


To decode warrant returns: 


1. 


Select Add > Warrant returns. The following window appears. 


Warrant returns 
Decodes warrant return packages 
Select service provider 


a) i G o q © 


File system extraction 


Add file systems (in a folder or a zip archive) 


@ Select folder or @ ZIP archive 


Back 


2. Select the service provider. 


3. Select the file system extraction (folder or zip file]. For more information, see Adding a 


file system extraction lon page 49). 


4. (Optional). Click Save UFD to save a .ufd file for this project. If you create a UFD file, you 
will not have to go through this process again in the future to open this particular case. 
5. Click Next. 
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4.3.2.2. GrayKey 
Decodes iOS data from full file system extractions. 


To decode Apple iOS GrayKey extractions: 
1. Select Add > GrayKey. The following window appears. 


Decodes data from iOS backup 


"4 Apple iOS GrayKey 


GrayKey Full File System Backup 
Binary extraction +) 
Select the binary extraction to use (Internal or External files) 


—— 
i Å Keychain plist J 


File system extraction 
Add file systems (in a folder or a zip archive) 


Select folder or §§ ZIP archive 


Back 


2. Select the keychain plist (optional). 
3. Select the file system extraction (folder or zip file]. For more information, see Adding a 
file system extraction lon page 49). 


GrayKey extractions include both full file system (binary image] and the 
external keychain plist file (not part of the folder or zip file]. In a single 


session, you can decode both the GrayKey image and the keychain plist 
files. 


4. (Optional). Click Save UFD to save a .ufd file for this project. If you create a UFD file, you 
will not have to go through this process again in the future to open this particular case. 


5. Click Next. 
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4.3.2.3. Open (Advanced) 


The Open [Advanced] feature enables you to specify the device data extraction and decoding 
options. 


Select from two main project opening methods: 


» Select a UFED extraction - Enables you to specify how to decode a UFED extraction file 
(*.ufd). See Advanced opening of a UFED extraction file [below] 
>» Start without a .ufd file - Enables you to start to decode a physical extraction ora file 


system that was not generated by a UFED unit. See Advanced opening of a non-UFED 
extraction file [on page 49) 


This feature is available with Physical Analyzer only. 


4.3.2.3.1. Advanced opening of a UFED extraction file 


The standard open process activates a decoding process set according to the device and 
manufacturer information logged in the *.ufd file. 


Using the Open advanced method enables you to skip the standard Open process, and 
specify a custom parsing process, or specify how to parse unknown devices. 


To create a new project from UFED extracted data using Open (advanced): 


1. Select Add > Open (advanced). Thefollowing window appears, enabling you to set the 
process of decoding the extracted data for your new project. 
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Open (Advanced) 


Select a UFED extraction 
For a UFED extraction, select the UFD file in the extraction folder 


i Select a UFED extraction 


Start without a UFD file 
Use this option if another method was used to extract the data (e.g., chip-off or a different tool) 


GB Blank project D Select Device 


Click Select a UFED extraction. 


In the Open dialog, select the *.ufd file to be processed and click OK. The following window 


appears. 


Samsung GT-i9205 Galaxy Mega 6.3 (Android) 


Decodes certain types of Android devices using the metadata from the extraction. 


Switch device 
= 
b AndroidDD 


Binary extraction o 
Select the binary extraction to use (Internal or External files) 


B Image0 


D:\PhysicalExtraction_KatCheme\blk0_mmcblk0.bin 


File system extraction 
Add file systems (in a folder or a zip archive) 


@ Select folder or ZIP archive 


Save UFD Back Next 
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If required, you can click to switch the selected device, switch chain or 
customize the chain. For more information, see Changing the decoding 


chain [on the facing page). 


Select the file system extraction [folder or zip file). For more information, see Adding a 
file system extraction [on page 49) 


5. (Optional). Click Save UFD to save a .ufd file for this project. If you create a UFD file, you 
will not have to go through this process again in the future to open this particular case. 
6. Click Next. 


Specifying a different device 


You can specify an entirely different decoding process for the extraction by replacing the 
selected device. 


1. From the Open [advanced] dialog, click Switch Device. The following window appears. 


Open (Advanced) 


Select a UFED extraction 


For a UFED extraction, select the UFD file in the extraction folder 


È Select a UFED extraction 


Start without a UFD file 


Use this option if another method was used to extract the data (e.g., chip-off or a different tool) 


È Blank project D Select Device 


2. From the Select Device list, select the desired device. 
3. To filter the displayed devices, do one of the following: 
» Click on device manufacturer in the list of manufacturers on the left pane 


>» Enter the device manufacturer or model in the Quick Filter field to filter the displayed 
devices 


4. Click Next to return to the Advanced Customization panel. 
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Changing the decoding chain 


A chain is a set of plug-ins grouped together in a certain order, which is used to decode the 
extracted data. Each device in the supported devices list of the application has a predefined 
decoding chain assigned to it. 


Beside plug-ins, a chain can also include other chains, a simpler way to 


use a predefined set of plug-ins within another chain. 


For more information about decoding chains and plug-ins, see Advanced decoding [on 
page 404) and Plug-ins (on page 416). 


To select a different chain: 


1. In the Open [advanced] dialog, click Switch Chain (= ). The Switch Chain dialog opens 
and displays the default chain assigned to the device. 


@® switch Chain — o x 


Switch Chain | Quick Filter Q 


Current Decoding method 


iPhoneFS @ 
Decodes iPhone file systems and content 
Current Device 
, 


A device can have several assigned chains, but only one of them can be 
set as the default chain. 
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2. From the chains list, select the desired chain in one of the following ways: 


» Select the manufacturer name under the Current Device section to display the 
chains assigned to devices of the same manufacturer. 


» Under the Chains section of the list: 

» Select My Chains to select from the list of custom chins you constructed. 
» Select All Chains to select from the list of all predefined device chains. 
» Use the Quick Filter field to filter the displayed list items. 


3. Select the relevant chain, and click Select to return to the Advanced Customization panel. 


The default chain is replaced by the selected chain. 


To edit the current chain: 


1. Click Edit ( t ). The chain structure dialog of the current chain opens and displays the 


chain. 
iPhoneFS | =| 
iPhoneFS | Edit Decoding methods (2) | 


[Decodes iPhone file systems and content | 


©) Add Chain/Plugin iPhone Backup Parser 
Parses all iPhone Backup/Logical/FS dumps, induding decryption and/or FileSystem creation when necessary 


Ea] Parses all iPhone Backup/Logical/FS dumps, including decryption and/or FileSystem creation when ne} 


No Items Available 
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2. To add a component to the chain: 
a. Click Add Chain/Plugin. 


b. From the Component Library, select one of the following: 


Quick Filter Q 


p AgereCalllogs 


Reads call logs from the Samsung Agere family of phones. 


$ AgerePhoneBook 
Sip AgereReader 

fp AgereSMS 

$ Android Databases 


Si AndroidMD 


Parse the metadata for Android dumps 


S AndroidUnlockPassword 


Decrypts the numeric lock password for Android devices 


$ AndroidUnlockPattern 
Decodes Android Unlock pattern 


» Device: The entire chain of a specific device. 
» Chain: A specific predefined chain. 
» Plugin: A specific plug-in. 


Items selected under both Device and Chain are added to the chain as 


a Chain component. 


Click + to add the component. 


4. To remove a component from the chain list, click the x at the right of the component item, 
then click Yes to approve. 


5. Click OK to return to the Advanced Customization panel. The default chain is replaced by 
the customized chain. 


To save a customized chain: 


After you customize a chain, you can save the changes made to the chain for future use using 
the Save As or Save buttons in the Selected Chain section. 


The Save button is available only for customizations for unlocked user- 
defined chains saved in My Chains. For more information about user 


defined chains, see Managing chains [on page 404). 


1. Click Save to replace the user-defined chain with the current one or Save As to save the 
current chain as a new chain. 


47 


2. Ifyou clicked Save As, enter a name for the new chain and click Save. 


Save Chain As 


iPhone (Copy) 


The new chain is added to the My Chains list of customized chains of the application, and 
the saved chain appears as the Selected Chain. 


Adding a binary dump 


You can add additional binary dump (extraction or image] files received from different 
sources in Open [advanced]. 


æ Blank project 
“ Decodes a device from a blank project 


Select device 


È Blank project 


Binary extraction 


Select the binary extraction to use (Internal or External files) 
B New Image Jel 


D:\Extractions\PhysicalExtraction_KatCheme\Samsung GSM_GT-i9205 Samsung Galaxy Mega 6.3.... 
B New Image #2 


D:\Extractions\Physical Boot Loader (Legacy) 03\Samsung GSM_SM-N915G Galaxy Note Edge.ufd 


File system extraction 
Add file systems (in a folder or a zip archive) 


È Select folder or § zip archive 


Save UFD Back Next 


» Click ® to add an extraction. Each binary extraction you add is shown in the window. 


» To remove an extraction, click the ®© that appears when you position the mouse over it. 
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Adding a file system extraction 
You can add a file system extraction to the project received either as a ZIP archive or asa 
folder containing the file system extraction files. 


» To adda file system extraction, click either Zip Archive (ZIP, TAR or DAR} or Folder, and 
select the archive or folder you wish to add. 


You can add one file system extraction only. Trying to add more than 
one removes the previously added file system extraction, regardless of 


whether it’s a zip archive or folder. 


4.3.2.3.2. Advanced opening of anon-UFED extraction file 


When you receive binary or file system extractions that were not generated by a UFED unit, 
or you don’t have the *.ufd file that accompanies them, you can use the Open [advanced] 
feature to define how to decode them for the new project. 


1. Select Add > Open [advanced]. The Open (advanced) dialog appears, enabling you to set 
the process of decoding the extracted data for your new project. The following window 
appears. 


Open (Advanced) 


Select a UFED extraction 
For a UFED extraction, select the UFD file in the extraction folder 


i Select a UFED extraction 


Start without a UFD file 


Use this option if another method was used to extract the data (e.g., chip-off or a different tool) 


b Blank project D Select Device 


49 


2. The Start without a UFD file option provides you with two starting points for your new 
project: 

» Blank Project: Provides you with an empty Advanced Customization panel to set your 
process parameters and data. This option is useful when you have no information about 
the device and/or manufacturer, and would like to construct a custom decoding 
process. See Starting from a blank project [on the facing page). 

» Select Device: Select the specific device definition to use to decode the data extraction. 
This option is useful when the device manufacturer and model are known to you. See 


Starting with device selection (below). 
Starting with device selection 


Create a new project for data extraction based on a known device. 


1. In the Open (Advanced) window, click Switch Device. 
2. From the Select Device list, select the desired device. 


Device Selection 


Select the device for your input data. 


Select Device Quick Filter 


3. Use the list of manufacturers on the left to filter the displayed devices by manufacturer, 
and the Quick Filter field to filter the displayed devices by any string. 


4. Click Next. 
The Advanced Customization panel displays the name and default decoding chain of the 


selected device. 


» To select a different device, see Specifying a different device lon page 44). 
» To select a different parsing chain, see Changing the decoding chain [on page 45). 


Chapter 4: 50 


Di 


6. 


» To customize the parsing chain, see Changing the decoding chain [on page 45). 


» To adda file system extraction, see Adding a file system extraction [on page 49). 
(Optional). Click Save UFD to save a .ufd file for this project. If you create a UFD file, you 
will not have to go through this process again in the future to open this particular case. 


Click Finish. 


Starting from a blank project 


1. 


E a e 


In the Open (Advanced) window, click Blank project. The following window appears. 


[z] 
æ Blank project 
“ Decodes a device from a blank project 


Select device 


ty 
w 


È Blank project 


Binary extraction o 
Select the binary extraction to use (Internal or External files) 


File system extraction 
Add file systems (in a folder or a zip archive) 


@ Select folder or ZIP archive 


Back | 


To select a device, see Specifying a different device (on page 44). 

To select a parsing chain, see Changing the decoding chain [on page 45). 

To customize the parsing chain, see Changing the decoding chain [on page 45). 
To add binary extractions, see Adding a binary dump [on page 48). 


To add a file system extraction, see Adding a file system extraction lon page 49). 
(Optional). Click Save UFD to save a .ufd file for this project. If you create a UFD file, you 
will not have to go through this process again in the future to open this particular case. 


Click Finish. 
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4.3.2.3.3. JTAG extractions 


JTAG (Joint Test Action Group] is an advanced method of data extraction that requires a 
forensic examiner to connect to the test access ports of the device to obtain a full physical 
image. This enables the examiner to unlock and gain access to the raw data stored on the 
memory chip. 


JTAG is non-destructive and offers the opportunity to access data from devices that have 
been altered or damaged in some, where data ports are unavailable (or disconnected], or it 
is otherwise impossible to unlock the device using other forensic tools. 


Physical Analyzer automates the JTAG decoding process and saves you time in that you no 
longer need to manually decode the large volume of raw data found in JTAG extractions. 


For an updated list of devices that support JTAG extractions, refer to the UFED Phone 
Detective Mobile App or the UFED Supported Devices document in MyCellebrite. 


Once you have the physical memory that was acquired with this method, you can load it into 
the Physical Analyzer for decoding. When loading the appropriate UFED JTAG chain, you will 
receive all the data, as if it was a regular extraction. 


The main difference between a JTAG extraction and a UFED extraction are the locations of 
“spares” inside the extraction. Spares are the technical term for metadata of blocks inside 
the extraction. They can be located in several locations Inside the extraction. In regular 
extractions, they are located at the end of each block. In JTAG extractions they are located at 
the end of the extraction. 


To decode the data extraction using JTAG: 


1. In the Open (advanced) window, click Select Device. 


2. To filter the displayed devices, enter the device manufacturer or model in the Quick Filter 
field, or click on device manufacturer in the list of manufacturers on the left pane. 
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Device Selection 
Select the device for your input data. 


Select Device | Quick Filter Q | 


If JTAG is not supported for the required device you can enter “jtag” In 
the Quick Filter field to select a generic JTAG device. 
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Device Selection 
Select the device for your input data. 


Select Device | jtag x | 


3. Select the required device and click Next. The following window appears. 


Decoding method selection 


Select the decoding method for your input data 


Select Decoding method - (JTAG_HTC) | Quick Filter a| 


i 


JTAG - Android MMC-SD 
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4. Select the decoding method and click Next. The available methods change from device to 
device. The following window appears. 


== HTC JTAG 
“ Switch device 


È QCAndroidHTC JTAG 


t 
tt 


Binary extraction © 
Select the binary extraction to use (Internal or External files) 


(a Image | 
( A ers | 


File system extraction 
Add file systems (in a folder or a zip archive) 


& Select folder or $ ZIP archive 


Back 


5. Click to add a binary extraction. Each binary extraction you add is shown. 
6. Click Next. 


4.3.2.3.4. Saving a .ufd file 
At any point of setting the Open [advanced] parameters, you can click Save UFD to save a 


* ufd file that logs the selected binary extractions and device information for future use. The 
next time you need to decode that case, you can just open the UFD file. 
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4.3.2.4. Common sources 


Common decoding plug-ins: 


Backup [on the facing page) 
Storage device (on page 62) 
Drones [on page 63) 

Vehicle forensics (on page 64) 
Android emulator (on page 65) 


Case wizard 


Open case Help Load evidence 
Select the extractions 


@ Load evidence 


© Examination tools Load extraction 
Bl Warrant returns 
dc : iOS File System / Backup / GrayKey extraction Ctrl+G 
BR Open (Advanced) Ctrl+Shift+O 
& Common source » Backup > 
OA 
& Storage device » 
Co x Drones » 
© Data types = EX Vehicle forensics > 
No evidence load @} Android emulator > 
O Summary 
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4.3.2.4.1. Backup 


Case wizard 


Open case Help Load evidence 
Select the extractions 
@ Load evidence 


© Examination tools Load extraction 


Warrant returns 


| Case details 


GB ios File System / Backup / GrayKey extraction Ctri+G 
BR Open (Advanced) Ctrl+Shift+O 
à% 


Common source » [o] [iBackup 


Storage device 
| [mm] K Drones 
© Data types = Æ Vehicle forensics 
No evidence load $ Android emulator 
| © Summary 


Details 


@ Android - ADB backup 

@ Android - MTK backup (.backup files) 
FEE Blackberry - Blackberry 10 backup (bbb) 
G Google Takeout (Google Archive) 

% Huawei - Huawei backup 

@ Tunes backup 


@ LG- LG backup (lbf) 


» Select Common source > Backup > Android - ADB backup 


Decodes Android ADB backup files. 


Google Android ADB (Backup) 


Decodes the android ADB backup file 


® AndroidADB Backup 


Binary extraction 
Select the binary extraction to use (Internal or External files) 


File system extraction 
Add file systems (in a folder or a zip archive) 


@ Selectfolder or $ ZIP archive 


Back 
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» Select Common source > Backup > Android - MTK backup [.backup files) 


Decodes Android MTK backup files. 


Decodes Android Userdata partition backup 


k Google Android Generic 


® Android Userdata Backup 


Binary extraction © 
Select the binary extraction to use (Internal or External files) 


LA secu | 


File system extraction 
Add file systems (in a folder or a zip archive) 


@ Select folder or § ZiP archive 


» Select Common source > Backup > iTunes backup 


Decodes data from iPhone backups. 


Apple iOS iTunes (Backup) 


Decodes data from iPhone backup 


iPhoneBackup 


File system extraction 
Add file systems (in a folder or a zip archive) 


@ Selectfolder or  ( ZIP archive 
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» Select Common source > Backup > BlackBerry - BlackBerry 10 backup (bbb) 


Decodes BlackBerry10 bbb backup files. 


E 
æ BlackBerry bbb file (BlackBerry 10 backup) 


“ Open BlackBerry10 bbb Backup files 


ši: BlackBerry10 Backup 


Binary extraction o 
Select the binary extraction to use (Internal or External files) 


[ A eee | 
File system extraction 
Add file systems (in a folder or a zip archive) 


@ Select folder or $ ZIP archive 


>» Select Common source > Backup > Google Takeout (Google Archive) 


Decodes Google applications from Google Takeout. 


Decodes Google applications from Google Archive dump 


a Google Account Backup 


G Google Takeout 


File system extraction 
Add file systems (in a folder or a zip archive) 


@ Selectfolder or §§ zip archive 


» Select Common source > Backup > Huawei - Huawei backup. 


Opens Huawei backup data. 
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Huawei HiSuite or External memory backup 


Opens Huawei backup data 


Huawei Backup 
File system extraction 


Add file systems (in a folder or a zip archive) 


@ Select folder or ZIP archive 


Back 
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» Select Common source > Backup > LG - LG backup (lbf) 


Decodes data from LG Backup files. 


Open LG backup file 


+ LG Ibf file (LG backup) 


@ LG Backup 


Binary extraction 
Select the binary extraction to use (Internal or External files) 


(a) 


File system extraction 
Add file systems (in a folder or a zip archive) 


@ Select folder or §§ ZIP archive 


4.3.2.4.2. Storage device 


» Select Common source > Storage device > SD card 


Decodes standard file systems from physical mass storage device extractions. 


== SD CARD 
“ Decodes standard file systems from physical Mass Storage Device dumps 


® Mass Storage Device Filesystems 


Binary extraction o 
Select the binary extraction to use (Internal or External files) 


(as) 


File system extraction 
Add file systems (in a folder or a zip archive) 


@ Select folder or $ ZiP archive 
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4.3.2.4.3. Drones 


» Select Common source > Drones > DJI - DAT files 


Decodes DAT log files from DJI drones including internal and external SD cards. 


— ey 
Drone DJI generic 


Decodes DJI drones data 


t Switch device 
— = 


xX Dji drones 


Binary extraction ° 


Select the binary extraction to use [internal or External files) 


7 © 
( B Select int storage file B Select Ext storage file Å New image #5 


C:\Documents and Settings\Users\User\Desktop\BBB_file_name 


File system extraction 


Add the file system (in a folder or a ZIP archive) 


( = Select folder | or B 2? archive 


C:\Documents and Settings\Users\User\Desktop\folder or ZIP archive name 


» Select Common source > Drones > DJI Physical extraction 


Decodes data from DJI drones including internal and external SD cards. 


Drone DJI Generic 
Decodes DJI drones data 


$È DJI Drones 


Binary extraction o 
Select the binary extraction to use (Internal or External files) 


A intemal Storage 
[ A External Storage 


File system extraction 
Add file systems (in a folder or a zip archive) 


È Selectfolder or $ ZiP archive 
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4.3.2.4.4. Vehicle forensics 
» Select Common source > Vehicle forensics > iVE (.ivo file} 


Decodes vehicle data to uncover critical information during an investigation. See Vehicle 
forensics (on page 66). 


4 iVE Vehicle Forensics 


Decodes vehicle data to uncover critical information during an investigation such as 
routes, locations, vehicle events, connected devices, and media. 


=a ive 


Binary extraction 


Select the binary extraction to use 


File system extraction 


Add file systems (in a folder or a zip archive) 


@ Select folder or ZIP archive 


Back 
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4.3.2.4.5. Android emulator 


» Select Common source > Android emulator > Android .vmdk 


Decodes Android Emulator VMDK files. 


Decodes certain types of Android devices using the metadata from the extraction. 


% Google Android Generic 


® AndroidDD 


Binary extraction 
Select the binary extraction to use (Internal or External files) 


( A mase | 


File system extraction 
Add file systems (in a folder or a zip archive) 


@ Select folder or $ ZiP archive 


Back 
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4.3.2.5. Vehicle forensics 


Physical Analyzer can ingest and decode vehicle forensic files (.ivo] to uncover critical 
information during an investigation. 


Ingested data types for vehicle forensics files include: 


» Call logs 

» Contacts 

» Databases 

» Device info 

» Devices 

» Journeys 

» Locations 

» Searched items 
» Timeline 


To ingest and decode vehicle forensics files 


1. Go to File > Open case. 
Click Add. 


Select Common source > Vehicle forensics > iVE (ivo file}. 


Case wizard =] 


Open case Help Load evidence 
Select the extractions 

@ Load evidence 

+ Add 


Examination tools Load extraction 
Warrant returns 
iOS File System / Backup / GrayKey extraction Ctri+G 


Open (Advanced) Ctrl+Shift+O 


#*as7 Boe 


Common source 


*rpxexeaop 


4. In the iVE Vehicle Forensics window, click .ivo file. 
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iVE Vehicle Forensics 


Decodes vehicle data to uncover critical information during an investigation such as 
routes, locations, vehicle events, connected devices, and media. 


=e ive 


Binary extraction 


Select the binary extraction to use 


File system extraction 


Add file systems (in a folder or a zip archive) 


@ Select folder or 9 ZIP archive 


Back 


5. Select file and click Open. 
6. Click Next. 


For File system extractions, click Select folder or ZIP archive. 


7. In the Load evidence screen, click Next. 


Case wizard a 


Open case Help Load evidence 
Select the extractions 


@ Load evidence 


© Examination tools | NE ivo f 
=) CAUsers\Cookies\Downloads\iVeExport-cellebrite.ivo x 
Analytics tools 
ata 
(®) mar 


Examine data Next 


i) Click Examine data to skip the next step and begin ingestion. 
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8. In Examination tools screen, select the tools to run on the device. 


9. Click Examine data. The decoding begins. 


Case wizard i x | 


Open case Help Examination tools 
Apply examination tools & Enrichment engines 


Load evidence Examination tools 
ee == Hash sets Z Carve locations Oo [D Recover data from B 
Examination tools archives 
Compares the MD5 hash sets of Decodes additional location data 
images, videos and files to from unallocated space and Decode and process additional data 
databases of known and unsupported databases. from archive (zip) files. 
exclusion list files. 
“Note: this capability requires additional *Note: this capability requires additional 
decoding time. decoding time. 
Select hash sets : 
ttin 
Y Selective apps decoding 
Select apps to decode to speed up 
examination process and view only 
relevant data. 
App selection will be presented within 
few minutes, 
Enrichment engines 
Back Examine data 
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4.3.3. Examination tools 


In this step, you select the examination tools before decoding starts to prepare the evidence 


for the case. 
Select from the following examination tools: 


» Hash sets: Compares the MD5 hash sets of images, videos and files to databases of 
known and blacklisted files. For more information, see Importing and categorizing 
hash sets [on page 152). 

» Carve locations: Decodes additional location data from unallocated space and 
unsupported databases. For more information, see Carving locations [on page 361). 

» Recover data from archives: Decode and process additional data from archive (zip) 
files. This tool requires additional decoding time. 

» Selective apps decoding: Select apps to decode and review from the apps installed on 


the examined device. For more information see Selective apps decoding [on page 353). 


» Enrichment engines: Classify images and videos based on categories relevant to the 
case. Clicking Select categories allows you to select the categories to be included in 


the classification. For more information, see Media classification [on page 346) 


Running the Suspected CSA category may Increase process time 
and memory consumption. Use a GPU card {NVIDIA® GPU card with 


CUDA© compute capability 3.5 or higher] to boost the speed of this 
process. 


Open case Help Examination tools 
Apply examination tools & Enrichment engines 


Í Load evidence Examination tools 


N Z Carve locations m] M Recover data from o 
Examination tools archives 

Decodes additional location data 

from unallocated space and Decode and process additional data 
unsupported databases. from archive (zip) files. 


“Note: this capability requires additional *Note: this capability requires additional 
decoding time. decoding time. 


Select hash sets 


Settings 


Y Selective apps decoding 


Select apps to decode to speed up 
examination process and view only 
rele 

App selection will be presented within 
few minutes. 


Enrichment engines 


Back Examine data 


To select the examination tools to run on the case: 


1. Select the required examination tools. 


2. Click Examine data to start the decoding process. 
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4.4. Analyzing multiple extractions 


The Multiple Extraction feature enables you to merge multiple extractions into a single 
project providing unified analysis [views and reports). This feature saves time and reduces 
the effort required to review different types of extractions with the same data. 


You can open UFDX files separately, with extractions in different projects, or you can open a 
single project with all extractions presented under one unified project. You can merge any of 
the following extractions: logical, file system, physical, SIM, JTAG, memory card, camera, 
and open advanced. 


This feature decodes and analyzes a single unified project, and can remove deduplications 
(duplicate or redundant information]. The extracted data is presented under one project tree 
providing the following: 


» A unified Extraction Summary and Device Info, with the ability to drill-down to each 
extraction. 


» A source extraction per any record. 
» Deduplications are grouped together to enable quick and efficient analysis. 
» Filtering capabilities. See Using the quick filter [on page 135). 


» A unified report of all merged extractions, with an indication of the original extraction 
source. 
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4.4.1. Opening and merging projects 


You can add any type of extraction to an existing project. You can open a UFDX file that 
contains a number of extractions, or you can add extractions to an existing project. 


Open a UFDX file as a multiple extraction project: 


1. 


Select File > Open or click the Open button (EF) and select the EvidenceCollection.ufdx 
file. (This file is created when you have multiple extractions for a single device.) The 
following window appears. 


You are trying to open a UFDX file, which contains more than one extraction from the same device. 


The file will be opened as a single project as specified in the Settings. 


Don't show this message again 


2. Select the Don't show this message again check box if you do not want this message to be 


3. 


displayed each time you open a UFDX file with multiple extractions. 
Click OK. 


To add an extraction to an open project: 


2: 
3. 


Add i 
Click the Add extraction button | + Addenracion | or right-click the project and 


select Add Extraction. 
Select the required extraction. 
Click OK. 


To open an extraction: 


1. 


Select File > Open or click the Open button (EF) and select the file to open. The following 
window appears. 


You selected to open an extraction. You can add the extraction to an open project or open it 
as a separate project. 


Select one of the following: 


© Open the extraction as a separate project 
Add the extraction to: Samsung GSM_GT-i9205 Samsung Galaxy Mega 6.3 


Cancel 


Select to open the extraction as a separate project, or select to add the extraction to an 


open project. 
Click OK. 
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To save the multiple extraction project: 
» Select File > Save as UFDX. 


To close all the tabs of a multiple extraction project: 


» Select File > Close tabs and select the project. 


4.4.2. Extraction Summary 


The Extraction Summary area in the project tree includes all extractions included in the 
multiple extraction project. Each extraction appears in a different color, which helps you 
identify the origin of the data in the various Analyzed data tabs. 


The Extraction Summary tab includes a summary of all the extractions in the All Content tab 
and there is a separate tab for each extraction. An example of a multiple extraction project 
is displayed next. 


SOM © AdvancedLogical $ Wekome = Learnmore  @ Extraction Summary G) x © Installed Ap plications (492) O Timeline (6188) < © Extraction Summary 


All Content ‘Advanced Logica (1) ‘Advanced Logical (2) Physical 


Extraction Summary Ad enaction (A xa sa we 2 Project senings Generate report “Open Vatu Anace 


For more information regarding the data presented in the Extraction Summary tab, see 
Extraction summary tab [on page 98). 
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4.4.3. Renaming projects and extractions 


When a project with multiple extractions opens the project is called Multi-project. You can 
rename this project. You can also rename the default names of the extractions in the 


project. For more information on renaming extractions, see All Content tab [on page 98). 
To rename a project: 


1. Click E next to the project name. 
2. Select Rename. The following window appears. 


Rename person x 


Samsung GSM_GT-i9506 Galaxy $4_2020-05-26_ Report 


Enter a new device name: 


3. Enter the required name for the device. 
4. Click Save. 
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4.4.4. Decoding and analysis 


Decoding is initiated on the multiple extraction project, allowing deduplications to be 
displayed or filtered out. All extracted data is presented under one project tree. 


In the Analyzed data area, you can see deduplications and the bar graph indicates the source 
extraction for the data. The colors of the bars match the colors of the extractions in the 
Extraction summary tree area. If required, you can change the settings to remove 


deduplications. For more information, see General settings (on page 421). 


The following example from the Analyzed Data area shows information that is relevant to a 


multiple extraction project. 


7 


Related items filter. 

The * indicates that additional information is available within one of the merged items. 
Item with deduplications. 

Source extraction icons. 

24 items include deduplications. 

View shows 75 of 75 selected items. 

75 items selected. 

Additional information can be viewed here. 


BO Ce. Oe ST Re S 


The extraction from which the data was derived. 


The following example from the Data Files area shows information that is relevant to a 
multiple extraction project. 
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4.4.5. Multiple extraction settings 


When using a multiple extraction project, the following settings in the General Settings area 
can be used: 


» Automatically adjust timestamps to UTC+0 

» Automatically adjust timestamps according to the device's time zone 
» Open a UFDX file as a multi project 

» Remove duplicates 


For more information on these settings, see General settings lon page 421). 


4.4.6. Reporting 


You can generate a unified report for a multiple extraction project, with an indication of the 
original extraction source. For more information on the reporting settings that are 
applicable to multiple extractions, see “Include merged items [analyzed data)", "Include 
merged items (data files)" and “Include source info" in Generating a report (on page 257). 
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4.5. Saving a project session 


Save the project session to save your work on the project, enabling you to close Physical 
Analyzer and restart your session at a later time. 


The saved session file {.pas) includes: 


» User selection in the Analyzed Data and Data Files tables 
» Case Information settings 
» Generated reports 

» Hex tags 

» Location address 

» Opened tabs 

» Project name 

» Project settings 

» Report selection 

» Searches 

» Tags 

» Translations 

» Unified time zone settings 
» User sorting in data tables 
» Verifying hash values 

» Watch list results 


A project session can also be created for extractions performed by third party tools. 


Saved project sessions do not contain defined settings. For more information on how to save 


your settings, see Saving settings [on page 445). 


To save a project session: 


1. In the File menu, select Save project session. The Save As dialog box appears. 
2. Browse to the location where you want to save the project session file. 
3. To change the file name, edit the automatically assigned name in the File name box. 


To overwrite an earlier session, choose the same file name. 


4. Click Save. 
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4.6. Adding external files 


If required, you can include related artifacts in your case. These are external files such as 
search warrants, additional images and relevant documents. These files will be added to the 
project tree, under Additional files and can be included in reports. 

To add external files to the report: 

1. Click Add external files in the Extraction Summary. 


or 


Click E next to the project and select Add external file. 


2. Select the file. The following window appears. 


B® Additional files - a x 


Add external files such as search warrants, additional images and relevant documents to your case. 
These files will be added to the project tree, under “Additional files" and can be included in reports. 


File name Category 


Agency form 


‘Agency form 


Enter a name for the file. 
Enter or select a category. 


If required enter any notes. 


For images, you can use the drawing tool on the left to draw text, add 
shapes, crop, resize, rotate, and flip the image. You can also copy the 


image to the Clipboard. 
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6. Click Add to project and select the project. The file is located in Reports > Additional files 


> External files. 


Tools Cloud 


Samsung GSM_GT-i9506 Gal... ~ 


Reports 


§) Additional files (4) 
= &) External files (1) 
S) No category (1) 
a Screen capture (2) 
aA No category (2) 
g) Video recording (1) 
§) No category (1) 


7. Open the files from here and select or clear the check box to include or exclude files from 


the report. 


UFED CLOUD induded 


Welcome Learn more © Extraction Summary (1) @ No category (2) x 


S = v Filters» Actions ¥ Q 
—vie Y T Name X | Note ” Path v | Size (byte Metadata Y Created 
z ee ee oe ee 
2 Consent form.docx ScreenCapture/Consent form.docx 11780 5/7/2020 10:28:2- 


8. When generating a report select the Additional Files check box. 


78 


Chapter 4: 
SSnnnnnnrnnnnnnnnntneernnnnnnnnnnrceennnnTTTTTnnnnnnnnnnTtnnntnnntnnnnnnSenntntnttnnnnn a 


General 


Report Dataset 


Security 


Formatting 


Table Sorting 


PDF Report 


4.7. Loading a project session 


Samsung GSM_GT-i9... 


UFDR (For Cellebrite R... 


Report Dataset - Samsung GSM_GT-i9205 Samsung Galaxy Mega 6.3 


{=| Time range filter 


C Only events between these dates 


f=] 


From: 


C Include items without a timestamp 


(=) Data types 
Select/Deselect All 


Additional Files - Search Warrant (1/2) 


K 


Applications (2857/2857) 


Archives (291/291) 
Audio (164/164) 
WI Autofill (1/1) 


JAAR 


To: 


JAAK 


Images (4393/4393) 

Installed Applications (455/455) 
Locations (1295/1295) 
Passwords (117/117) 

Searched Items (43/43) 


Apply 


From the Welcome tab, open the project that you want to work in. 


1 

2. Inthe File menu, select Load project session. 

3. In the Open dialog box, browse to and select the project session file that you want to open. 
4 


Click Open. The session opens. 


4.8. Closing a project 


» Do one of the following: 


>» Inthe File menu, select Close. 


» Right-click the project name in the Project tree and select Close. 


4.9. Closing Physical Analyzer 


>» Inthe File menu, select Exit. 
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4.10. Keyboard shortcuts 


Ctrl+B Add an entity bookmark 
Ctrl+D Select a folder for the dump file system 
Ctrl+E Export an account package 
Ctrl+End Move the cursor to the end of a table 
Ctrl+H Open the hash set manager 
Ctrl+K Open the Watch list editor 
Ctri+H Run the Watch list 
Ctrl+H Open the hash set manager 
Ctrl+M Export the hash database 
Ctrl+Home Move the cursor to the beginning of a table 
Ctrl+l Open iOS device extraction wizard 
Ctrl+J Extract GPS or mass storage device 
Ctrl+O Open a file 
Ctrl+P Open project settings 
Ctrl+Q Open the SQLite query manager 
Ctrl+R Open the report wizard 
Ctrl+V Load the Android Emulator 
Ctrl+Shift+0 Open advanced 
Ctrl+T Open settings 
Ctrl+Tab Switch between open tabs 
Ctrl+U Open the UFED Downloader to connect to UFED 
Ctrl+W Close a project 
E Open the product documentation 
Space Select or clear check boxes 
Ctrl+F6 Redact images or videos 
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5. Orientation to the workspace 


The workspace contains two main areas; the project tree and the data display area to 
streamline your workflow. 


The workspace contains the following components: 
1. Application menu bar 

2. All projects search 

3. Navigation Menu 
4 


Data display area 


5.1. Navigation menu 


Navigate the Physical Analyzer application views from the following navigation menu items: 


» Home 

» Timeline 

» Analyzed data 
» File Systems 
» Insights 

» Tags 

» Reports 

» Cloud 


5.1.1. Home 


The Home view displays the Extraction summary. See Extraction summary tab [on page 98) 
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UFED CLOUD inves 


IAE © Samsung GSM_GT-i950.. + 1  Leammore  @ Extraction Summary (1) x 


5.1.2. Timeline 


Timeline view is a powerful tool that enables you to analyze data in chronological order, to 
identify the order of events and make connections between them. 


IAEE © Samsung GSM.GT-i950.. © Leam more 


om 


BO |e -vjr |9 |x ANAP we 


Filtering and sorting the timeline table 


The timeline has many advanced filtering and sorting options to drill down to specific data 
and display them according to the users needs. 


Filter by Type, Timestamp, Party, Description, Source, Source file information, and 
Extraction. 


To filter the timeline: 


1. Click the dropdown icon in a column heading. 
2. Select the filter options 
3. Click Ok. 
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To clear applied filters, click Clear filters. 


Sorting the timeline table 


Sort the timeline table by Type, Timestamp, or Extraction. 


1. Click the dropdown icon in a column heading. 
2. Select either: 

» Sort ascending 

» Sort descending 


The graphical timebar 


The graphical timebar allows you to zoom-in to the timeframe in question as well as analyze 
multiple timestamps of events. 


UFED CLOUD inciuded 


tt © Samsung GSM_GT-i950... © ł  Leammore © Extraction Summary (1) @ Timeline (10021) x 


ie 
p 1 Filters applied ¥ Clear fiters + Fites” Actions a 
ta BO w |-v # Y XK GP F wpe v T Timestamp | Party + | Description Source + | Q Source file ins 
Seg AR ES er Eee Ol ee 
1 2 es Instant Messages 2/1/2015 63448 AMIUTC+0) From: 2909288299 ~a 2487407461.d 
Li 3 Cookies 2/1/2015 72338 AM(UTC+0) [Creation time] tumblr.com 
1 4 Cookies 2/1/2013 72340 AMIUTC=+0) [Creation tmel sumolecom 
1 Cookies 2/1/2015 72340 AM(UTC+0) [Creation time} 
1 6 Cookies 271/2015 72340 AMIUTC=0) 
m 1 7 Cookies 3:40 AM(UTC=0) [Creation time] 
= 1 8 Cookies 2/1/2015 72240 AM(UTC=0) [Creation timel 
1 o Cookies 211/2015 72340 AMUTE +0) [Creation time] 
Li 10 Cookies 2/1/2015 72341 AM(UTC+0) ation timel 
L n Cookies 2/1/2015 72348 AM(UTC+0) [Creation time] webviewCooki 
0 1 ? Email 271/2015 8:15:19 AMIUTC +0) From: noreply-5979443b... 21 new photos automatically back... Logs Table logsdb : 0x14! 
1 B els Instant Messages 2/1/2015 11:35:38 AM(UTC+0) From: 2909288299 a 2487407451.d 
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To select a specific timeframe in the graphical timebar: 


1. Click and drag on the time bar to select a timeframe. 
2. Click Apply. 


The table is updated to reflect the selected timeframe. 


ti © Samsung GSM_GT-i950... > Learn more © Extraction Summary (1) @ Timeline (10021) x 
Aug isep _|oct__| Nov |Dec ljan |fe Mar | Apr | May |in | Aug |Sep lot |Nov |De an Feb |Mar Apr__| May ljun | | Aug |se 
q o 
Timeline 
A AN eae ee 
Timeline settings © Filter Action 
DO (im -v O XAUA © Type +t Timestamp Y Party Description Source 
ESS a eee eee ee ee ee 
rT 2 Instant Messages 1/1/1970 12:00:00 AM(UTC+0) 9=980'91.00 0h 97.62. Telegram 
1 3 Calendar 9/9/1999 12:00:00 AM(UTC+0) [Start Date] Device Notdeleted. Birthday 
i 4 x Calendar 11/3/2004 7:53:47 PM(UTC+0) [Start Date] A E 


To apply fields to the graphical timebar: 


1. Click ce] to open the fields selection window. 
Select the required fields. 
Click Apply. 


© Extraction Summary (1) *  @ Timeline (10021) x 


fxs seo jon _|nov_| pe ma u nov s nov _|Dec 
oh X 
era | 
Select Fields 5/5 | i) 
iA Pe esr ae | i Miadi 
Auto apply E | E RES et eer AN Aih 
1 TTS Timeline settings 5 Export ¥ fiters» Actions» (Sea a 
E Autofil 
Œ O Last used date P D Type + T Timestamp = | Party | Description Source ~ | A Source file int 


E © Timestamp 


x © Calendar (Start Date) 
> iia Dee [| 


E Contacts 3 jes 2/1/2015 6:3448 AM(UTC +0) From: 2909288299 Q 2487407401.0 
& O Created 2/1/2015 7.2338 AM(UTC=0) [Creation time) webviewCcol 
E O Last time contacted 
Sidin 2/1/2015 72340 AM(UTC=0) [Creation time] 


2/1/2015 72340 AM(UTC+0) [Creation time] 


2/1/2015 7.2340 AM(UTC 


2/1/2015 72340 AM(UTC 


1 2/1/2015 7:23:40 AM(UTC +0) [Cr 

Li a 10 2/1/2015 7:23:41 AM(UTC+0) [Creation time} wwwtumblr.cor ‘Chromium 

1 n 2/1/2015 7:2348 AM(UTC+0) [Creation time] www.tumblr.ec Chromium 

1 u 12 2/1/2015 8:15:19 AM(UTC=0) From: noreply-3979443b...|21 new photos automatically back.. | Logs Table logadb :0s14 
Li 13 es instant Messages 2/1/2015 11:35:38 AM[UTC+0} From: 2909288299 aQ 2487407461.d 


To zoom in the graphical timebar click + To zoom out, 


To clear timebar settings, click Clear. 
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Tagging items on the timeline 


Tag timeline items for easier data management. 


What's new? 


© Extraction Summary (1) @ Timeline (10021) x 


Timeline settings S 


iW © Samsung GSM_GT-i950... Learn more 
6 200 09 0 2011 014 
Tenetine 
A , 
1 Filters applied ¥ Clear filters 
ta BO m -v# O XKKUA O type © | Tamestamp > 


Instant Messages 11/5/2014 6:52:00 AM(UTC+0) 


11/6/2014 9:52:21 AM(UTC+0) 


[] 3 Es Instant Messages 
LI 4 es Instant Messages 11/6/2014 11:19:06 AM(UTC+0) 
| 5 Es Instant Messages 11/10/2014 1:50:27 PM(UTC+0) 


Party ® Tag 


From: 2909288299 


From: 2909288299 


From: 2909288299 


Remove tag 


Manage tags 


Export * 


Filters ¥ 


Ac 
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To add a tag to timeline items: 

1. Select one or more row in the timeline table. 
2. Click ©”. 

3. Select Tag. 

4. Select the required tags. 


wa 


Clear AIl Manage tags 


A Case tags 


@ C Evidence (F6) 
® O Important (F7) 
[] O Pending (F8) 
® O Completed (F9) 


Description (optional) 


5. Click OK. 


The Tags column is updated with the selected tabs. 
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What's new? 


AN 
inf © Samsung GSM_GT-i950... i Learn more © Extraction Summary (1) @ Timeline (10021) x © Cloud (2! 


2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 


Timeline 
“A Vv 1 


1 Filters applied ¥ Clear filters Timeline settings Y 
ES BO iw >v ls XAUA O Type Y Timestamp > Party 

O- [il 1 g Instant Messages 11/5/2014 6:52:00 AM(UTC+0) From: 2909288299 
e 

[i 2 (GE Instant Messages 11/5/2014 4:00:29 PM(UTC+0) From: 2909288299 

[i 3 “is Instant Messages 11/6/2014 9:52:21 AM(UTC+0) From: 2909288299 

[i 4 Eia Instant Messages 11/6/2014 11:19:06 AM(UTC+0) From: 2909288299 

| 5 ls Instant Messages 11/10/2014 1:50:27 PM(UTC+0) From: 2909288299 
A 
es 

a m í K a Inrtant Mareanae 4444 Ads CEA AAANITA om Pana WAArAAAAn 


To manage tags: 


Sy 


1. Click 
2. Select Manage tags . 
In the Manage tags window you can: 
» Search tags. 
» Rename existing tags. 
» Delete tags. 
» Define tag color. 
» Define tag hotkey. 
» Create a new tag by clicking New tag. 
» Export and import list if tag labels. 
4. Click Ok. 


Define your tags names, colors and hotkeys 
Search tags. Q 
a Global tags 2 Import £ Export New tag 
Evidence 0 =a . F6 
Impotant 0 Em- F7 
Pending 0 may hg F8 
Complete 0 i) bg F9 
¥ Project VIC categories 
o = 
Managing timeline settings 
1. Click Timeline settings i 
2. Select required settings. 
3. Click Ok. 
Settings — x 
© -Data files display in timeline 
B Timestamp fields 
63 Show all 
General Settings C created MJ Captured C] Modified C Accessed [C Deleted C Changed 
Data files type 
fal] E Show all 
Image @ Audio ĦA Video 
Data Files 
Activities 
<> C Show activities 
Rez Show device events 
Hex Viewer 
AppGenie 
NS Show events in timeline 
Models 
Q 
& 
Timeline 
Interface 
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5.1.3. Analyzed data 


The Analyzed Data view displays a tree with groups of analyzed data that are related to 
device-specific features such as contacts, Instant messages, call logs, and so on. 


Python Plug-ir Report Help Did you know? 


Samsung GSM_GT-i9506 Ga... 7 H Welcome @ Extraction Summary (1) x © Instant Messages (91) © Timeline (11648) O Im 


All Content Physical 
Q -m 


Extraction Summary + Add extraction 


Analyzed Data 


~ E Application (420) ¥) Extractions: 1 


tō installed Applications (420) Physical “ 
Samsung GSM GT-i9506 Galaxy S4 


Calendar (67) Physical [ Bootloader ] 


Calls (466) = 
11/29/2015 7:59:09 AM 
Contacts (1398) c 
11/29/2015 8:51:41 AM 


Devices & Networks (717) C:\Users\Cookies\Desktop\Samsung GS... 


Location Related (3885) 
Device Info 
Media (52947) 

A 237a5462-195d-4f0f-93dd-fd2be4ca9791 adid settings xml : 0x58 
Memos (101) e samsung/ks0 1Itexx/ks0ite:4.3/JSS15I/I9506XXU..._ bı 

th de e Galaxy S4 

Messages (1534) th MAC A 00:73:£0:12:3D:F9 
c2e3da6cdc5cf975 
True 


Chats (961) ngs preferencesxml : 0x1172 


Emails (482) A True 
Instant Messages (91) 
Search & Web (6312) s samsung 

o e RF8F10EO2SL 
) System & Logs (36) guag en 

ervices Enabled True 

User Accounts & Details (782) ocat e False o 
43 build.prop : OxED 
(UTC+02:00) Jerusalem (Asia) persist.sys.timezone : 0x0 
89972011013031230331 comandroid.phone preferencesxml : 0x119 


Data files 


The available information and what is displayed depends on the device features and 
application version. For example mail messages are sorted according to the account 
through which they were sent or received. An uncategorized account or messages folder lists 
the folders or messages that cannot be categorized in any of the found accounts or account 
folders (Inbox, Outbox, Drafts, and so on). 


The following information types are displayed in the Analyzed data tree: 


Analyzed Data 

» Personal information - Calendar, contacts, notes, call log, user dictionaries, user 
accounts. 

» Messaging items - Email, instant messages, chat!. 

» Web browser items - Bookmarks, history, cookies. 

» Media items - Audio, images, and videos. 


» GPS information - Locations [including from video files, metadata, and SQLite databases], 
journeys, fixes. For more information on geolocations, see Device locations [on page 170). 


» Public transit ticket - Public transportation ticket information discovered in the 
extraction. 


lIn some cases, mainly when messages have been deleted, they cannot be forensically 
placed in a Chat. To maintain forensic accuracy of the messages, they will be placed in 


Instant messages and available for review under Analyzed data > Instant messages. 
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» Physical activities - Physical activities performed by the owner as well as health related 
measurements Including heart rate, blood pressure, etc. 


» Device information - Bluetooth pairings, wireless networks, SIM data, application usage, 
Wi-Fi, cellular locations. 


The number in parenthesis designates the number of items each category contains. 


Selecting any analyzed data category automatically adds it to the highlights list of the 
displayed binary image and/or memory range it belongs to (located at the bottom of the Hex 
view tab], and highlights its data range portions in the displayed data. 


Data files 


The Data Files tree item sorts the extracted data into common formats, used by devices and 
computers, such as text or document files. 


In the project tree, the information is displayed in the following categories: 


» Applications - Files that were recognized as application files [such as .apk, .jar, .dex, .so, 
exe] 

» Archives - Files that were recognized as archive or compressed files [such as .zip, .zipx, 
tar, tar, .gzip, .7zip, .7z, .dar, .gz, arj) 

» Configurations - Device configuration files {such as iOS plist files) 

» Databases - Data structures that were recognized as databases 

» Documents - Files that were recognized as document file formats (such as .doc, .docx, 
pdf; xlsx, ppt). 

» Shortcuts - 

» Text - Files that were recognized as text file formats 


» Uncategorized - All unknown file formats or undefined file extensions. 
Deleted items are indicated in red. 


You can create additional data file groups. For more information, see Managing data files 
settings [on page 430) . 


Double clicking on a tree item opens a tab In the data display area. 


Expand or collapse tree items by clicking H- selecting Expand all or 


Collapse all. 


5.1.4. File systems 


The File systems view displays a tree with the following data: 
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» Memory images - Double-click an image item to display it in a Hex View tab in the data 
display area. 


The Memory Images - tree item lists all the extraction files generated from the memory 
modules of the device. 


»» Memory Ranges - lists the analyzed memory ranges for each of the extracted memory 
modules of the device [listed under Images). 


Select a memory range to: 
» Highlight the memory range portion in the displayed data 


» Add it to the highlights list of the displayed binary image it belongs to [located at the 
bottom of the Hex view tab). 


Double-click a memory range item to display its content in a new Hex view tab. 


» File systems - file systems found or reconstructed out of the analyzed binary file. 
Plug-ins Report Help What's new? 


Samsu ng GSM _GT-i9506 Galaxy s4 -i Learn more @ Extraction Summary (1) x 


All Content Physical 
File Systems — 


~ @ Memory Images Extraction Summary 


® Image (DumpData.bin) 


yv) Extractions: 1 
~ it Memory Ranges 


Physical 
Samsung GSM GT-i9506 Galaxy $4 
Physical [ Bootloader ] 


v W Image 


> hl GPT Protective 


~Y & File Systems Extraction start date 
11/29/2015 7:59:09 AM 

> B cache (Extx) (24 files, 365 KB) Extraction end date/time 
11/29/2015 8:51:41 AM 


~ & DropBox galaxys4test2@gmail.com (134 files, 11,630 KH CAUsers\Shashanahs\Desktop\ Samsung. 


/folde (0 files, 0 KB) 
Ider// (0 files, 0 KB) 


Device Info 
oads//Camera U (0 files, 0 KB) 
i Advertising k 237a5462-195d-4f0f-93dd-fd2be4ca97¢ 
Ploads//Camera (0 files, 0 KB) fingerprint samsung/ks0 IItexx/ks01lte:4.3/JSS15)/If 
ps/a (0 files, 0 KB) Bluetooth device name Galaxy S4 
etoot AC Addr 00:73:E0:12:3D:F9 
Root (94 files, 11,630 KB) j c2e3da6cdc5cf975 
s/ap (0 files, 0 KB) a te & time True 
Automatic time zone True 
uploads//Camer (0 files, 0 KB) ount ane GB 
/pdf//4_2509433383986135 etected Phone N GT-19506 


The File Systems tree displays all the file systems found or reconstructed out of the analyzed 
binary file. 


Each file system is marked with (hard drive icon). Deleted files are marked with [red cross 
icon). 


Double-click any file system item to display its content in a new Hex view tab. 


Double clicking on a tree item opens a tab in the data display area. 
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Expand or collapse tree items by clicking H- selecting Expand all or 


Collapse all. 


5.1.5. Insights 


The Insights view displays a tree with the following information: 


» Watch lists - Watch lists are lists of keywords that you create and then use to search and 
identify events and items of interest in the extracted data. 
» Expand Watch Lists to view a list of watch lists that have been run in the current 
session. 
» Double-click on Watch Lists to view the highlighted entity based on the watch lists. For 
more information, see Working with watch lists [on page 145). 
» Hash sets 
»» Malware scanner - Run the malware scanner to identify malware on the device. For more 


information, see Scanning for malware [on page 29). 


Samsung GSM_GT-i9506 Galaxy S54 zm: Learn more © Extractir 

Insight: 
sera cae Want tc 
We hav 


Watch Lists 

v {Hash sets 

v i= Image 
i= Known files (16235) 


@ Malware scanner 


0: 


Insights 


Double clicking on a tree item opens a tab in the data display area. 


Expand or collapse tree items by clicking H- selecting Expand all or 


Collapse all. 
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5.1.6. Tags 


The Tags view displays a tree with defined project tags. 


Double click on a tag In the tree to open a tab with details in the data display area 


ython Plug-in t nep Di UFED CLOUD nasce gopra 4 


Learn more © Extraction Summary) < O Timeline (1002) < O Cloud (25) < O Documents (25) = © Installed Applications (420) < @ Evidence (3) x © Important (2) 


From 
From: 2900288200 


Attachment 


heponesappitcqa com/nensapp s/d 


Double clicking on a tree item opens a tab in the data display area. 


Expand or collapse tree items by clicking H- selecting Expand all or 
Collapse all. 


5.1.7. Reports 


The Reports view displays a list of generated reports. See Generating a report (on page 257). 


1. Double Click on a report to open. The report opens in the application associated with the 
report format. 


a naa 1340.1 = ane 


Wats nei? UFED CLOUD =. +) adane & 


Samsung GSM. GT-i9506 Gal... © Extraction Summary = © Timeline (78) » © Cloud (28) 


A * » Images 


A Samsung GSM GT-19506 Galaxy 54 20201 


DO b -v 


Mos: asa0sësaaset3etse3gba3e2en07Tc9t 
Source fle: 539398e0847543,0: 0E 
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5.1.8. Cloud 


The Cloud view displays all cloud data sources found in the extraction, as well as additional 
cloud data sources which can be extracted with UFED cloud when username and password 


are available. See Cloud extractions [on page 208) 


It is also possible to export an account package from the Cloud view. 


UFED CLOUD twas 


w © Samsung GSM_GT-i950.. $ Leammore © Extraction Summary (1) @ cloud (30) x 
Open nUFED Goud Epo 
tat sues ue 
ge 
Taco 
hes drect messages and vet 
me 
{oration Beyond a 293 
x Google Backup “samsungsdtest2@gmailcam 
Gan nn tosses Coele sco, meses cls and er protic 
spy Soop Caenaor pron 
31 Enrich mobile data and acquite calendar information from Google Calendar 
@ iCloud (Real-Time Location) 
(o Google Chrome Syne t2@gmailcom 
Enc nub doa and tn ire pape bobs saved pours ado compee at 
aimee 

G ao 
eon i} iCloud Data 

Om ai 

Q Google Hangouts & ad 

a Google Home tyr 

ae Eb tv cet 

re | Boae © OFF 


FE Ofiee365 Outlook 


To export an account package 


1. Click Export account package. 
2. Choose the required location to save the file. 


3. Click Save. The Export account package window appears. 


@& Export account package z o x 
Associated acccounts 


[e| nstagram 56 fi Facebook 32 fw] Twitter 13 || © Skype 13 
JI 


User accounts extraction summary 


Data source Account name 

Dropbox galaxys4test2@gmail.com A 
Facebook g 

Facebook 100004474817593 

Gmail motiluhimcelleb@gmail.com 

Gmail samsungs4test2@gmail.com 

Google Backup motiluhimcelleb@gmail.com 

Google Backup samsungs4test2@gmail.com y 


* Account name is displayed if available. The data sources above can all be used in UFED Cloud. 


Save Open UFED Cloud | 
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4. Select either: 
» Save - to save the account package file 
» Open UFED Cloud - to open the account package in UFED Cloud. 


*This option is only available if UFED Cloud is installed on the same machine as 
Physical Analyzer. 


Click Open in UFED Cloud| to open the UFED Cloud case wizard. 


5.1.9. Managing project actions 


The project menu allows you to perform the following actions: 


>» Add extraction 

>» Add external file 

» Rename 

» Select items for report 


» Unelect items for report 
» Close 


Procedure: 


1. Click the menu icon next to the project name. 


2. Select the required menu item. 
Pythor Plug-ins Report Hel 


RR ccm 12an more  @ Timeline (10100) x 


Q Add Extraction 
=) Add external file 
7 Rename 


ae ¥ Select items for report 
Application (420) 


Unselect items for report 
Calendar (65) 


Close 
Calls (469) 


mew uon ED al SAN 
= a a e r 


Devices & Networks (717) 


Location Related (3854) 


Manual Evidence 


Media (25035) 
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5.1.10. Viewing extraction data from multiple projects 


When there are multiple projects open in Physical Analyzer, it is possible to switch between 
projects to view the data. 


1. Click the dropdown icon next to the project name. 


2. Select a project. 


The view displays the extraction data for the selected project. 


tract Python Plug-ins Report Help What's new? 


AdvancedLogical_2020-03-1... : Learn more © Timeline (10100) © Extraction Summary (2) 


© Samsung GSM_GT-i9506 Galaxy $4_2020-05-26 Report ““vanced Logical 


© AdvancedLogical_2020-03-18_ Report summary 


Calls (8) v) Extractions: 1 
Contacts (105) Advanced Logical “7 

Samsung GSM GT-i9205 Samsung Galax... 
Location Related (1) Advanced Logical 


Media (317) Extraction start dat 
3/18/2020 11:17:56 AM +02:00 


Messages (31) 


3/18/2020 11:20:36 AM +02:00 
C,\Users\Shoshanahs\Desktop\2020-03-... 


© Case Information 
Examiner name Cookie Solomon 


Device Info 


0.2. Data display area 


Double-click an item to display it in a tab. A new tab is opened for each item. 


Papert H What's newt UFED CLOUD ss As) Advance & 


© Extraction Summary (2) = @ Installed Applications (420) x 
Insights Table View 
Select apps for more data 
Browse the apps on the device sorted by category and select the apps for which you require additional data 
Notas Internal appäcation services are mot played in this view 
a No apps selected 


TI 


> CEB Brower = 
> O È Spoofing = 
> O © security 
O CER password manager * 
E p Social networking 
> o [E vnties + 
> D JH uree + 
> O J% Developer tools © 
> D EB Newsi Boole © 
> O Gh Health & Fitness 
> 0 FS] manes $ 


> 01 fd muse $ 


The data display area also displays additional windows such as the Trace window, and Watch 
list results. 
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To close a tab, do one of the following: 

» Click Xon the tab header. 

» Click Xat the top right of the data display area. 
To jump to a specific tab either: 


>» Click on the tab header. 


» At the top right of the data display area, click », and select the desired tab from the open 
tabs list. 


5.2.1. Welcome tab 


The Welcome tab is automatically displayed in the data display area when the application 
starts and displays a list of recently opened files. 


Each file in the list is displayed as a framed information group that contains the following 
items: 


» Device picture - A thumbnail image of the device from the application resources, If 
available. When unavailable, a general placeholder image is used. 

» File name - The name of the opened file, without the file extension. 

» File path - The file system path to the file location. 


» Device model - The identified device manufacturer and model, or BINARY if the opened 
file was a binary extraction. 


» Date and time - The date and time stamp in which the file was last opened. 
» Browse link - A direct link to the file in the system. 


D) l l 
To remove a recent item from the Welcome tab, click % 
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You can do the following: 


» Click ona framed item to open the files for decoding. 
» Click Browse to go directly to the file associated with it in the file system. 
» Close the Welcome tab. To reopen it, go to View > Welcome Screen. 


5.2.2. Extraction summary tab 


The Extraction Summary tab is displayed automatically whenever you open a new extraction 
for analysis. 


The Extraction Summary tab has the following sub tabs: 


>» All Content: Includes information on the extractions, device information and device 
content. For more information, see All Content tab (below). 


» Extractions: A tab for each type of extraction performed. See Extraction tabs [on 
page 104). 


5.2.2.1. All Content tab 

The All Content tab includes the following information: 
Extractions [on the facing page) 

Case Information [on page 100) 


Device Info (on page 101) 
Device Content [on page 102) 
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5.2.2.1.1. Extractions 


This section includes information related to the device extractions. 


v) Extractions: 1 


Physical “” 
Samsung GSM GT-i9205 Samsung Galaxy Me... 


Physical [ Bootloader ] 
Extraction start date/time 


11/23/2015 4:11:53 PM(UTC+2) 


traction enc date/ume 


11/23/2015 5:12:23 PM(UTC+2) 
CAUsers\alizas\Desktop\Physical Boot Loader... 


Figure: Project with multiple extractions 


The Extractions area includes the following information: 


Extraction link Link to the extraction tab. 
Device model Detected model e.g., MB717, Samsung GT-19205. 
Type of extraction Type of extraction performed e.g., Physical (Bootloader). 


Extraction start date/time 


S A When the extraction started and ended. 
Extraction end date/time 


Path to the extraction file | The location of the extraction file. 


To rename an extraction: 


1. Click the Edit button (7) or select the extraction name in the project tree, right-click and 
then select Rename. The following window appears. 


99 


Rename extraction 
Advanced Logical 


Enter a new name for the extraction: 


2. Enter anew name for the extraction and then click Save. 
To rename a project: 


1. Select the project name in the project tree. 


2. Right-click and then select Rename. The following window appears. 


Rename person 


x 
Samsung GSM_GT-i9506 Galaxy $4_2020-05-26_Report 


Enter a new device name: 


3. Enter the required name for the project. 
4. Click Save. 


5.2.2.1.2. Case Information 


This section includes the case information, which is taken from the Project settings > Case 
Information. 


^) Case Information ee ee 
Case 44851/2015 Case name 44b3H 
Kat Cheme (KitKAt) Notes 
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5.2.2.1.3. Device Info 


This section displays a summary of the specific device information taken from the extraction 


file. 


The following example shows device information for a project with multiple extractions. 


Device Info 
Logical 
Detected manufacturer 
Detected model 
Phone revision 
IMEI 
Phone date/time 
Client Used for Extraction 
Extraction Notes 


Generic 


Physical 
Android ID 


Bluetooth MAC Address 
Bluetooth device name 
OS Version 

Detected Phone Model 
Android fingerprint 
Detected Phone Vendor 
Mac Address 

ICCID 

IMSI 

ICCID 

IMSI 

Phone Activation Time 
Factory number 

Locale language 
Country Name 

Time Zone 

IMEI 

Mock locations allowed 
Auto Time Zone 


Auto Time 


samsung 
GT-I9205 


44.2 KOT49H I9205XX\ 


357426050266879 
11/23/2015 3:54:03 PM 
Yes 


+ZZ — Extracted phone 
Last IMEI digit might bt 


5236fef524a49eea 
BC:72:B1:54:36:EA 
Galaxy Mega 

442 

GT-19205 
samsung/meliusitexx/n 
samsung 
BC:72:B1:54:36:EB 


425010776252947 
899720203585963501 
425020358596350 
6/1/2015 1:34:21 PM(U 
RF1D575GRBB 

en 

US 

Asia/Jerusalem 
357426050266879 
False 

True 

False 


Information from XML 
Information from XML 
Information from XML 
Information from XML 
Information from XML 
Information from XML 


Information from XML 


settings.db-wal : 0xA9... 
settings.db-wal : OxAF... 
settings.db-wal : OxAF... 
build.prop : OxED 
build.prop : 0x143 
build.prop : 0x3C5 


build.prop : 0x18D 
.mac.info : 0x0 


com.android.phone p... 
CheckinService.xml : 0... 


CheckinService.xml : 0... 


serial no : 0x0 
persistsys.lanquage :... 
persist.sys.timezone :... 
2400257.cfg : 0x100 
com.android.settings ... 
com.android.settings ... 
com.android.settings ... 
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5.2.2.1.4. Device Content 


This section includes the analyzed content, which is divided into the following categories: 
» Phone Data: The types of analyzed device data found in the extraction, such as call logs, 
contacts, instant messages, and so on. For the complete list of phone data types, see 

Analyzed data [on page 89) 
» Data Files: The types of standard data files found in the extraction, such as applications, 
audio, configurations, images, videos, text files, and uncategorized. See Data files [on 


page 429). 
» Camera Evidence: Pictures or videos of a device. See Camera and screenshot evidence 


(on page 403). 
» Phone Evidence: Screenshots of the device. See Camera and screenshot evidence [on 


page 403). 


The number in white indicates the total number of items, and the number 
in red (in parenthesis) indicates that the item was found in deleted data. 


5.2.2.1.5. Insights from installed apps 


Insights from installed apps allows the user to get a peek into the types of apps Installed on 
the device. This areas displays app categories and the number of apps In each. 


Chapter 5: 102 
ee 


Insights from Installed Apps 


=) Chat applications (52 apps) 
i) ` A 

(> Hide files or pictures (6 apps) 
fe Browser (3 apps) 


Spoofing (1 apps) 


Click to View all to open the Insights 


© Extraction Summary (2) x @ Installed Applications (420) x 
Insights | Table View 
Select apps for more data 


Browse the apps on the device sorted by category and select the apps for which you require additional data, 
Notes Internal application services are not displayed in this view 


Security (1 apps) 


Password manager (1 apps) 


(7 Social networking (76 apps) 


fm Utilities (29 apps) 


View all 


tab. 


ť>E =) Chat applications 

> D (E Hie filesor pictures = 
> D LG Browser = 

> O $È spoofing + 

s0 Security & 

> 0 GA penwontmanager @ 


> E f} Seca networking 


> D J utestyte = 

> O J Developer tools © 
> D E News& Books = 
> O &® Health & Fitness 

> O E Business © 


> O A Musie = 


Sebo Bpandal 


B Apps no longer in store: 10 


B Appsno longer instore: 21 


1B Apps no longer in store: 7 


1B Apps no longer in store: 7 


B Appe no longer in store: 5 


1 Apps no longer in store: 1 


E Apre no longer in store: 1 


E Apps no longer in store: 1 


a 


45 of 52 apps decoded by Cellebrite 


2 of 6apps decoded by Cellebrite 


3 of 3 apps decoded by Cellebrite 


0of1 apps decoded by Cellebrite 


of 1 apps decoded by Cellebrite 


1 of 1 apps decoded by Cellebrite 


57 of 76 apps decoded by Cellebrite 


16 of 29 apps decoded by Cellebrite 


T of 21 apps decoded by Cellebrite 


4 of 17 apps decoded by Cellebrite 


1 of 5apps decoded by Cellebrite 


2 of 3 apps decoded by Cellebrite 


1 of 3 appe decoded by Cellebrite 


0 of 3 apps decoded by Cellebrite 


-E 
[cose 
a 1 apps selected Remove all 
Badoo - Meet Ne... @ x 


combadoomobile 
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5.2.2.2. Extraction tabs 


An extraction tab is displayed for each type of extraction. The extraction tabs display 


extraction information such as when the extraction was performed, by what Cellebrite UFED 
unit, using which cable as well as Image Hash Information, which is used for the verification 


of the logged hash values of the parsed images. See Verifying hash values [on page 364). In 


each extraction tab you can use the find box to search for device specific information. 


Welcome @ Extraction Summary (6) x Extraction Summary (1) 
All Content Camera Evidence File System (1) ) g Phone Evid Physical 
Extraction Device Info 
Find: 
Physical 
Samsung GSM GT-i9205 Samsung Galaxy Mega 6.3 4 [Z] General 
Physical [ Bootloader] Android ID 5236fef524a49eea settings.db-wal : 0xA9E2B 
Bluetooth MAC Address BC:72:81:54:36:EA settings.db-wal : OxAF53D 
Bluetooth device name Galaxy Mega settings.db-wal : OxAF873 
[Z OS Version 442 build.prop : OxED 
[7] Detected Phone Model GT-19205 build.prop : Ox1A3 
Android fingerprint samsung/meliusitexx/m... build.prop : 0x3C5 
[7] Detected Phone Vendor samsung build.prop : 018D 
11/23/2015 4:11:53 PM(UTC+2) Mac Address BC:7281:54:36:£8 macinfo : 0x0 
11/23/2015 5:12:23 PM(UTC +2) 4 caD 
45.0248 1 
Samsung GSM 2 899720203585963501  CheckinServicexml : 0x808 
GT-i9205 Samsung Galaxy Mega 6.3 a Z] MSI 
Cable No. 133 gı 425010776252947 comandroid.phone pref... 
Paa par M2 425020358596350 CheckinServicexml : 0x808 
73EF4B8C-14B5-4653-8D48-C4072F559E8C 
Phone Activation Time 6/1/2015 1:34:21 PM(UT... 
Factory number RF1D575GRB8 serial no : 0x0 
View details. [7] Locale language en persist sys.language : 0x0 
Â Hash data is available for this extraction. aaae EZ] Country Name us SOT 
Time Zone Asia/Jerusalem persistsys.timezone : 00 
ME 357426050266879 fg: 
lock locations allowec alse com.android.settings pr... 
Mock k llc d Fal: id. 
Auto Time Zone True comandroid.settings pr... 
[Z] Auto Time False comaandroid.settings pr... 
[7] Location Services Enabled True googlesettings.db-wal :.. 
4 [V] Tethering 
Hotspot AP Name AndroidAP softap.conf : 0x6 
Hotspot Password evsi9856 softap.conf : 0x32 
a [V] System 
7 Ma 357426050266879 asp.db : Ox3FDA 
4 [V] Backup PIN Code 
JK Smith 2580 


Extraction information includes the following: 


Extraction start date/time 
Extraction end date/time 


Unit Identifier 


Unit Version 

Selected Manufacturer 
Selected Device Name 
Connection Type 
Extraction Type 
Extraction ID 


Extraction (UFD) file data integrity 
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When the extraction started and ended. 


The serial number of the device that performed the extraction 


(e.g., Cellebrite UFED Touch], or a unique ID if the extraction 


was performed by a PC application [e.g., Cellebrite UFED 4PC). 


Cellebrite UFED software version [e.g., 4.1.0.220) 
Manufacturer of the device [e.g., Apple] 

Device name [e.g., iPhone 4) 

Cable used for the extraction [e.g., Cable No. 100) 
Type of extraction performed [e.g., File system] 
Unique ID for each extraction type 


Corruption check status [e.g., Intact, Corrupt, Not Available] 
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To display the relevant information in a new tab in the data display area, 


click any of the tree items. 


Protecting UFD and Extractions 


To enhance protection of extraction files, an implemented corruption check mechanism 
prevents data loss in transit and manual tempering of extractions. In the extraction 
Summary you can view one of the following corruption check statuses: 


>» Intact - in case the check succeeded. 
» Corrupt - in case the check fails. 


A status of “Not Available” will appear for extractions made with previous 


versions of Physical Analyzer. 
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5.2.3. Data tabs 


Data tabs show files of a specific type [such as call log, contacts, instant messages, and so 
on). 


Each type of data file has several data display modes: 


Application files | Hex View and File Info 


Image files Hex View, Image View, File Info, and Gallery view 
Video files Hex View, File Info, Video View, and Gallery view. 
Audio files Hex View and File Info 
Text files Hex View and File Info 


Document files Hex View and File Info 
Databases Database View, Hex View and File Info 


Configurations Hex View and File Info 


Data tabs display the data in a variety of sub-tabs, depending on the data type: 
» Table view - A list of all the files of a specific type [images, videos, audio, text, and so on) 
that were found during the data analysis process. 


>» Folder view - View the folder structure of the data files paths in the reconstructed file 
system [for data files only). 


» Hex view - View the Hex data of a binary item. See Hex view [on page 116). 

» Image view - View the image. See Viewing image files [on page 124). 

» Thumbnail view - View images by thumbnail (for images only}. 

» File format viewer - Displays tree-based formats such as: Plist, Bplist, JSON, etc. See 
File format viewer [on page 120). 

» File Info - View information about the file. See File Info tab [on page 120). 

» Database view - View the contents of database files. See Database view [on page 112). 

>» Gallery view - View images and videos in Gallery format. 
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5.2.3.1. Working in data tabs 
Selecting items 


Select items in the data display area to include them in any report you generate. By default, 
all items are selected. 


» To select multiple items, hold the SHIFT or CTRL keys [consecutive and nonconsecutive 
selection). 


» When an item Is selected, press the space bar to select or clear the check box, which 
indicates If the item should be included or excluded from the report. 


>» To select allitems at once, click = 


timeline). 


in the column header (table view, thumbnail view and 


» To select items and optionally include a timeframe: 


1. Click E and select Select items for report. 


Select items for report x] 


(i) You are about to select all items for the report. Continue? 


Select project: | @ Samsung GSM_GT-i9506 Galaxy 54 


Time range filter 


C Only events between these dates 
From: To: 


(J Include all related events: locations, etc. 


2. To select all click Yes. 

3. To set a timeframe for selection: 
a. Check Only events between these dates. 
b. Select the From and To dates. 
c. Click Yes. 


To include related events select Include all related events: locations, 


etc. This action overrides the current selection. 


Unselecting items 


Unselect items in the data display area to exclude them from any report you generate. 
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>» To unselect all items at once, click ~ in the column header (table view, thumbnail view 
and timeline). 


Unselect items for report >] 


(i) You are about to clear all items for the report. Continue? 


Select project: | @ Samsung GSM_GT-i9506 Galaxy S4 
Time range filter 


C Only events between these dates 


From: To: 


(J Include all related events: locations, etc. 


EE - 


» To unselect items and optionally include a timeframe: 


1. Click E and select Unselect items for report. 
2. To unselect all click Yes. 
3. To seta timeframe to unselect items: 

a. Check Only events between these dates. 

b. Select the From and To dates. 

c. Click Yes. 


Sorting columns 
Sort each column alphabetically or by time. 
» Click the column header to toggle the order. 


Re-ordering the columns 


For your convenience, you can change the order of the columns. Your preference is retained 
for the duration of the session. 


» Drag the desired column to the desired location. 


Hide or show columns 


» Right-click the column header and select the column name in the list. 


Viewing more information 


For data tabs containing textual information, by default the right pane is open, displaying the 
selected item's information. 


» To close or open the right pane, click c 
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Exporting data 


1. To export the data in a particular tab, click the desired output in the toolbar: Excel Lal, 
HTML #), PDF fi, XML 2], KML © (location data only), or EML Ñ [email data only). 


[ag] Excel (only hash values) 
[ag] Excel 

(8) HTML 

PDF 

la] XML 

w 


Word 


The Export Dialog Window appears. 


File name: Report 
Save to: \\ptnas1\Home_Dirs\c!izaz\Documents\My Reports 
Report sub directory: AppleDev.2016-09-18.17-10-24 


Include translations 


Cancel 


2. Do one of the following: 


» Enter the path where you want to save the report. 


» Click | and browse to and select the desired location. 
3. Select the Include translations check box to include translated data. 
4. Click OK. 


The report is generated, and a message appears asking if you would like to open it in 
third party software. 


5. Click Yes or No. 
The file is opened in the default third party software. 


When exporting to EML, a file is created for each email. 
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5.2.3.2. Table view for data files 


For data files, the table shows the following information: 


ndicates whether to include (select) or exclude [clear] the item in the report. 

# Row number. 

fal ndicates if the item is bookmarked. 

38) ndicates whether the data file was deleted '®, or has an unknown status {“?" or 
white document icon). 

ndicates if the data file includes an attachment. 

Image A thumbnail of the image or an icon of the file type. [Image data files only]. 

Name The file name. 

Path The root path of the data file in the file system. 

Size The size of file. 

Metadata Additional metadata of the data file. 

Created The creation time stamp of the data file. 

Modified The modification time stamp of the data file. 

Accessed The last access time stamp of the data file. 


Indicates the source application for the attachment as well as an indication if it 
Attachment source app ; 
was sent or received. 


Bookmark Note Details of the bookmark. 


In addition, indicators are displayed to show attachments, indicate video calls, and to show 
even direction. 


» Double-click on an item record (table row) to open a Hex Viewer tab showing the Hex 
data of the selected file. 
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5.2.3.3. Table view for analyzed data 


For analyzed data, table view tabs display a list of all the events of a specific type (Call Log, 


Contacts, Instant messages, and so on) that were found during the data analysis process. 


E © ExtractionSummary(t) = @ Call Log i) x 


5.2.3.4. Folder view 


Welcome @ Images (4145) x Cookies (664) Extraction Summary (6) 


© images (4145) 


Table View Thumbnail View Folder View 
— 


Search 


Aava 


“m 


ajv 


. (3061) 3061 
system (ExtX)}/Root (662) 662 
+| app (340) 340 
etc/permissions (1) 1 
framework (1) 1 
lib (1) 1 
priv-app (319) 319 
hidden (ExtX)/Root/symlink/system/app (30) 30 
userdata (ExtX)/Root (2318) 2318 
+! media/O (660) 660 
Android/data (483) 483 
+ flipboard.app/files/cache/downloads (1) 1 
+| com.android.providers.media/albumthumbs (1) 1 
® com.sec.android.gallery3d/cache (22) 22 
® com.vlingo.midas/serial/1103476312 (1) 1 
® com.facebook.katana/files/stickers (110) 110 
li 126361870881943 (32) 32 


» 
fo) a a nencropense ae 111 4 


ee Hie 


Se) @) SRE 


Save K 18 JEg 


a Sg 


à 
& 


" 
; 
i 
i 


a [S S [9 [S [S 


[SJ 


Folder view shows how the items were organized in the device. 


» Select the folder checkbox to select all the items in that folder [including sub-folders). 


Selected items are included in generated reports. When you select an item, it is selected 


in all tabs in the data display area. 


» Click @) to open the folder in a new tab in the data display area. 


The following folder information is displayed: 


» The folder name in the extracted file system. 
» The number of selected items in that folder (red in brackets]. 
>» The total number of items in that folder [in black). 


5.2.3.5. Database view 


Database view displays the contents of database files that were found in the extraction. It 


improves your data reviewing capabilities within database content and includes the following 

capabilities: 

>» Advanced viewing: Links between database values and their source within the Hex format, 
making evidence validation and investigation easier and clearer. You can decode data in 
the database file without the need to copy it or switch to Hex view. 


» Auto-detect cell content type and cell selection: Converts timestamp to human-readable 
format, decode baseé4 data, embedded images preview, file format viewer, etc. It also 
includes extra decoding capabilities to database values. 


>» Deleted data (recovered records): View deleted database records as well as intact data, 
making SQLite carved records more accessible and legible. 


» Search: Enhanced search capabilities. 
To open Database view: 


1. Double-click the Databases tree item under Data Files. The following window appears. 


O Databases (324) 


Table View Folder View 


og 


Export ¥ Filters» Actions ¥ | Table Search Qa Duplicate Databases (3) 


Bo Too - Y X K ø B Decoded by ¥ | Application ¥ Row coi T Name | 4/19/2015 2:54:30 AM NO NAME_ 0/system/accounts.db 
Oo om a a a e 
I Samsung GSM_SGH-T589 Gravity Smart SGH-T589R Galaxy Qiy 
ry Cellebrite accounts.db < > 
1 Cellebrite 35 accounts.db Databases Goto + 
1 4 2 3 alarms.db 
Details 
0 3 3 alarms.db 
n 4 x 0 alarms.db-iournal Sav 
Total: 324 Deduplication: 164 Items: 160/160 Selected: 157 Path: NO NAME_ 0/system/accounts.db Name: accounts.db 
4Hide account s0 K BBG] a Type: Databases 
: Size (bytes): 35840 
accounts (O | 


p 3 /s 7 

Prp jie mmer type SS | Path: NO NAME_ 0/system/accounts.db 
Created: 4/19/2015 2:54:30 AM 

authtokens (15) 3 

pna (12) z Accessed: 11/12/2015 12:00:00 AM 

Modified: 11/12/2015 11:11:26 PM 


facebookauthlogin 
senc joogle ‘AF cb4KS6iWXBgWr7BIRpS28V/ 
mobileus.contact,phone T-Mobile Contacts 


MDS: £65765 147eb8e2ae731c75f232544629 
Source file: accounts.db 


| 
Extraction: Physical 


2. Double-click a row to open the Database view. 
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@ accountsdb x 


Co} accounts.db 


Database View 
(Hide 
accounts 


android_metadate 
authtokens 


sqlite master 
sqlite sequence 


< BG) 


sql 


Hex View File Info 
sqlite master (13) 

B ^ 

0) type > name ~ tblname +  rootpage ~ 

(15) |ftrigger laccountsDelete accounts 0 

(12) index sqlite_autoindex meta_1 meta 14 

(0) table meta meta B 

a) index sqlite_autoindex_extras_1 extras 12 

(13) table extras extras 11 

B index 'sglite_autoindex_grants_1 grants 10 
table grants grants 9 
index _sqlite_autoindex_authtokens_1 authtokens 8 
table _authtokens authtokens 7 
table _sqlite_ sequence sqlite sequence 6 
index sqlite autoindex_accounts_1 accounts 5 
[table accounts accounts 4 
{table  android_metadata android_metadata 3 

v < 


(CREATE TRIGGER accountsDelete DELETE ON accounts BEGIN DELETE FROM authtokens WHERE 


CREATE TABLE meta ( key TEXT PRIMARY KEY NOT NULL, value TEXT) 


CREATE TABLE extras ( _id INTEGER PRIMARY KEY AUTOINCREMENT, accounts_id INTEGER, key TEX] 


(CREATE TABLE grants ( accounts_id INTEGER NOT NULL, auth_token_type STRING NOT NULL, uid I 


(CREATE TABLE authtokens ( _id INTEGER PRIMARY KEY AUTOINCREMENT, accounts_id INTEGER 


(CREATE TABLE sqlite sequence(name,seq) 


CREATE TABLE accounts ( _id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT NOT NULL, type. 


CREATE TABLE android_metadata (locale TEXT) 


Database view consists of the following sections: 


» 


» 


List of the database tables. The number in parenthesis next to each table name 


designates the number of records in the database table. Select a table in the left column 
to display its records. 


Database View 


4 Hide 


Records display areas containing a list of data records in the selected database table. 


sqlite_master 
sqlite_sequence 


cfurl_cache_blob_data 
cfurl_cache_receiver_data 
cfurl_cache_response 
cfurl_cache_schema_version 


(110) ^ 
(110) 
(110) 


(1) 


(11) 


(1) 


entry_ID ~ « response_object X 


request_object 


bplist00@ @WVersionUArray@@@ | bplist00@ @WVersionUArray@ 
bplist00@@WVersionUArray@@@ bplist00@@WVersionUArray® 


v  proto_props 


@ bp 


bplist00@@WVersionUArray@@@ | bplist00@ @WVersionUArray® @@ bp! 
bplist00@ @WVersionUArray@@@ | bplist00@@WVersionUArray® @@ bp! 


bplist00@ @WVersionUArray@@®@ bplist00@@WVersionUArray® 
bplist00@ @WVersionUArray@@@ | bplist00@ @WVersionUArray@ 


bplist00@ @WVersionUArray@@®@ bplist00@@WVersionUArray® @@ bp! 
bplist00@@WVersionUArray@@®@ | bplist00@@WVersionUArray® @@ bp! 
bplist00@@WVersionUArray@@® | bplist00@@WVersionUArray® © bp! 
bplist0OO0@ @WVersionUArray@@©@ bplist00@@WVersionUArray® @@ bp! 


bplist00@@WVersionUArray@@® | bplist00@ @WVersionUArray® 


ist00@@_@ kCFURLReques ^ 


@@ bplist00@@_@ kCFURLReques 


ist00@@_@ kCFURLReques 
ist00_@ kCFURLReques 


@@ bplist00@@_@ kCFURLReques 
@@ | bplist00@@_@ kCFURLReques 


ist0O0@ @_@ kCFURLReques 
ist00@@_@ kCFURLReques 
ist00 _@ kCFURLReques 
ist0O0@@_@ kCFURLReques 


@@ | bplist00@@_@ kCFURLReques 
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» Search field to filter the displayed records. 


<s BB GI 


{‘localFiles":[],"content”:*testing musical.ly 5.5.0 p... 


belongingConversationldentifier v from X content 


190571722855641088:19059944 1639243776 190599441639243776 4... 4... 
1905664 19334447 104:19057 1722855641088 190566419334447104 4.. 


1905664 19334447 104:19057 1722855641088 190571722855641088 4... “content”:"Message from musical.ly 25.4"... 200 
190571722855641088:19059944 1639243776 19059944 16392437764... 4... {"ext":},"content”:"Testing musical.ly 5.5.4 pa6.2".... -200 
190571722855641088:19059944 1639243776 190599441639243776 5... 5... {"ext":},"content”:"Testing musical.ly 5.6.3 pa 6.3"... -200 


>» Use the buttons toolbar (A [= ED fa to: Include recovered records, export to CSV, open 
the SQLite wizard or open the Virtual Analyzer. 


To include recovered records: 


>» Click A. The recovered records are indicated in red. 


(0) Cache.db 


Database View Hex View File Info 


4Hide cfurl_cache_blob_data (110) KARE 
dah iva] 


<furl_cache_blob_data KE 
cfurl_cache_receiver_data (110 

cfurl_cache_response (110) 
cfurl_cache_schema_version a 
sqglite_master (11) 
sqlite sequence a) 


entry ID + ~ response_object ~ request object ~ proto_props a 


Bplist00}} WVersionUAray e (bplist00GOWVersionUArray OO lbplist00G}_@ kCFURLRequestAllowAllPOSTCaching @Accept-La... 
bplist00@-@WVersionUArray@O@ bplist00@@WVersionUArray@ OO /bplist00G}_@ kKCFURLRequestAllowAllPOSTCaching @ 


» Select records to auto-detect cell content type and display the data in the right pane. See 
the examples below. 


5.2.3.5.1. Examples 


The right pane displays a cell's data more clearly in a view for each data-type. Examples are 
shown next. 


Date and time 


class MDLMessage (20) AB Ez [2] Q Hex | Text Date & time 
1/28/2008 2:26:16 AM 


identifier X messagelD = serverMessagelD v belongingCc 


[607E1A87-7EC6-4E20-8C99-6AFS9CF6877F |213026704883449856 213026704883449856 19057172284 
32D8C094-3DBA-41BA-9B2C-1B72E1ABO4CD 213026889600598016 213026889600598016 19057172285 
FB7441BD-5895-4A46-B82A-E4885BAB2C91 213027303922335745 213027352165220352 19057172284 
0A764C35-F668-4843-94C2-31643D0A7164_213027125874130945 213027223878238208 19057172284 
446da362-déde-47d4-a2a5-1594da36695b _221357925120081920 221357925120081920 19056641933 
205104f5-23ff-47e3-86ba-54243e1db9ac  |221358029000409088 221358029000409088 (19056641934 
2124f486-2a93-49db-a66a-653218bf9838 221358131718914048 221358131718914048 19056641933 
7458f0bf-8fb6-455a-ac86-b1c753b8f5b0 221358203206631424221358203206631424 19056641934 
202CEFA4-3472-46DC-81F8-43C88143D4FA 221358203206631425 221358357842231296 19056641933 
56BE727D-076F-44EC-A437-F407814E2DF2 221358357842231297 221358435512352768 19056641933 
A75B503C-12C9-4294-960A-D1CCD775A14D 221358435512352769 221358490159939584 19056641934 
4C558353-66B8-48D6-8B40-ASCOO25036EE 221358490159939585 221358534174965760 19056641934 
6125056C-30F5-4A20-8CD7-D5D5272F6DB8 223179715177873408 223179715177873408 19057172284 
9852063E-0C51-4CB5-9C48-4E3FOFEASAES 223180295006846977 223180327160381440 19057172284 
|ACD416E0-0877-43F0-9D88-B680ACSA4ESB 223179976315240448 A] 19057172285 
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Decode base64 


class MDLCacheFile (48) aB 


dentifier 


IHROCHM6Ly9pbSStdXNjZG4uY29tl 2ItLWHYWdlcy80ZjQwZJEOZGQONTAZMQ4LzIwMTctMDQtMDIvYJM! 
HROcHMG6Ly9pbSStadXNjZG4u¥29tL 2ItlWZpbGVzizRmNDBmMTRKZDQ1N2VmZDgvMijAxNyOwNCOwM 
IHROcHM6Ly9pbSStdXNjZG4uY29tL 2Itl Wit Wallcy80ZjQwZjE0ZGQON TdiZmQ4LziwMTetMDQtMOWNTV 
192CABE-1336-4B03-B546-AB72DEDB9F66 
‘9CE2F41-72DA-40A9-8FF4-C96BDED69B23 
HROCHM6Ly9pbSStdXNjZG4uY29tL 2ItLWItY Wale y80ZjQwZjE0ZGQON TdIZmO4LziwMTetMDQtMOWYWF 
HROCHM6Ly9pbSStaXNjZG4uY29tL 2ItLWItYWdley80ZjQwZjEOZGQON TdIZmO4LziwMTetMDQtMDWYTQ 


HTML 


cfurl_cache_receiver. < Fj 


2F 69 6D 2E 6D 75 73 63 64 https://im.muscd 

6D 2D 69 6D 61 67 65 73 2F n.com/im-images/ 

64 64 34 35 37 65 66 64 38 4f40fl4dd457efd8 

34 2D 30 32 2F 64 35 31 37 /2017-04-02/d517 

36 64 2D 34 39 34 61 2D 61 d711-bé6d-494a-a 

37 35 64 37 39 65 35 32 30 21e-fe275d79e520 
-jpg 


a | [Hex| Text) HTML 


~eceiver_data 


PNG 


14BA4F6-477A-4488-ACEO-0C15319E8799 
PNG 

3C8A8 16-5974-4223-8BD5-3061B8CF336B 

BB24A8A-A204-435A4-AC7TD-7AFC10B4E231 


!DOCTYPE html SYSTEM “aboutlegacy-compat"> <html> <head> <me... 
!DOCTYPE html SYSTEM "aboutlegacy-compat"> <html> <head> <me... 


Asmall partition used to store iPhone OS. Cydia adds a few 
important programs and libraries. 


Most content is stored on this partition: from applications 
(Cydia and Apple) to multimedia. 


Q Hex | Image 


PNG 


PNG 


PNG 


PNG 
PNG 


Serialized data 


"icon”:"http://cydia.saurik.com/icon@2x/libactivator.png"}... 


“icon”:“http://cydia.saurik.com/icon@2x/org.thebigboss.rep... 


F366F01-5424-4EED-AOBC-4A88AC48CA9F 


Co} Cache.db 
Databas Hex View File Info 

(Hide furl cache blob data (11K 53 5B 

cfurl_cache_blob_data moo ^ 

cfuri_cache_receiver_data (110) (2) entry ID ~ + response_object ~ request object hs 

cfurl_cache.response mo q bbplist00 @WVersionUArray@@4@ [bplist00@WVersionUArray@ a 

<furl_cache_schema_version a 2 bplist00@ @WVersionUArray@@@ bplist00@@WVersionUArray® 

sqlite_master ay 3 bbplist00@ @WVersionUArray@@@ bplist00@@WVersionUArray® 

sqlite_sequence a |a bplist00@@WVersionUArray@@@ bplist00@@WVersionUArray@ 
5 bplist009 @WVersionUArray@O@ [bplist009 @WVersionUArray® 
6 bplist00@ GWVersionUArray@@@ bplist009 @WVersionUArray® 
7 bplist009 @WVersionUArray@@@ bplist009-GWVersionUArray® 
s bplist009 @ WVersionUArray® 9 ® [bplist009 @WVersionUArray® 
9 bplist006 WVersionUArray e bplist009@WVersionUArray® 
ho pplist009 @WVersionUArray@ 
m bplist00@ @ WVersionUArray@44 |bplist009 @WVersionUArray® 
ha bpist009.$WVersionUArray eð bplist009@WVersionUArray® 
33 bbplist00@ @WVersionUArray@@@ bplist00@@WVersionUArray@ 
ha bplist00@ @WVersionUAray@@@ [bplist00@.WVersionUArray® 
i5 bplist009 @WVersionUArray@O@ [bplist009-@WVersionUArray® 
16 bplist00@@WVersionUArray@@@ bplist00@@WVersionUArray® 
7 bplist009 @WVersionUArray@@@ bplist009-@WVersionUArray@ 
18 bplist009 @WVersionUArray@@@ |bplist00 @WVersionUArray® 
he bplist009 $WVersionUArray@O¢ bplist009@WVersionUArray 
20 bplist00§ @WVersionUArray@@4 [bplist00 @WVersionUArray 
21 bplist009 WVersionUArray@@¢ bplist009GWVersionUArray® 
22 bplist009 @WVersionUArray@@@ bplist009-@WVersionUArray@ 
23 bplist00@ WVersionUArray@@ bplist00@@WVersionUArray@ 
24 bplist009 @WVersionUArray@@4 bplist0099WVersionUArray® 
25 bplist00@ @WVersionUArray@@@ [bplist00@WVersionUArray@ 
26 bpist009-4WVersionUArray ee [bplist009WVersionUAray® 


Q | [Hex] Serialized data 


|| Search || Clear 


Version: integer = 1 


=f 


dict = { 

real = 497902092.883465 
integer = 0 

integer = 200 


dict = { 
Etag : AsciiString = "232-4fbad 1eb17fc0" 


Last-Modified : AsciString = Thu, 12 Jun 2014 14:10:15 GMT 
Server : AsciiString = PWS/8.1.38 

Content-Type : AsciiString = application/javascript 

Content-Length : AsciiString = 562 

X-Cypeed : AsciString = 95424099 

-ht h0-51133.p11-fra ( h0-s1129,p11-fra), ht h0-s1129.p11-fra.cdngp.net 


X-Px: Ascifstring = 
Cache-Control : AsciiString = public, max-age=120 
Date : AsciiString = Wed, 03 Aug 2016 07:28:12 GMT 
User-Cache-Contro : AsiString = public, max-age=120 
Connection : AsciString = keep-alive 

integer = 562 

AsciSting = appliction/javascript 
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Text 


cfurl_cache_receiver, Ș 5 BB [>] Q | | Hex) Text 
This repository has been reported by the community to be illegally redistributing co| 


-eceiver_data af 


We cannot stop you from using it, but we can (and do) recommend moral introspec’ 


PNG 
“icon":"http://cydia.saurik.com/icon@2x/net.ispazio.applin.. Please also keep in mind that illegal packages from untrusted sources are often out. 
I98DE824-B157-4AEF-9777-8FOBBFA9ZA03 


ydia.saurik.com/icon@ 


x/com.iphonecake.clu.. 


TYPE html SYSTEM “aboutlega 
"icon" :"httpy 
PNG 


<html> <head> <me.. 


ydia.saurik.com/ico 


5.2.3.6. Hex view 


A Hex view tab appears for each binary item you open from the project tree. When opening, 
for example, an Image memory disk, a Hex view tab opens alone. When opening a binary 
item, for example, an image file, the Hex view tab may be accompanied by other tabs. 


Welcome Lear more © Extraction Summary (3) x © 2015-08-08 15.38.57Jpg = @ 2015-08-11.06.39.13jpg x 
Hex View Imageview File Info 

asao so - -0003 

Hex View =< 


EF D3 FF EO 00 10 4A 46 49 46 00 01 01 00 00 01 00 01 00 00 FF DB 00 43 00 06 04 05 06 0S 04 06 06 05 06 07 07 06 j 
08 OA 10 OA OA 09 09 OA 14 OE OF OC 10 17 14 18 18 17 14 16 16 1A 1D 25 1F 1A 1B 23 1C 16 16 20 2C 20 23 26 27 29 + #6") 
2a 29 19 1F 2D 30 2D 28 30 25 28 29 28 FF DB 00 43 01 07 07 07 OA 08 OA 13 OA OA 13 28 1A 16 1A 28 28 28 28 28 28 (2 CC 
28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 | CCK KEKE ECE 
28 28 28 28 28 28 FF CO 00 11 08 03 00 04 00 03 01 22 00 02 11 01 03 11 01 FP C4 00 1F 00 00 01 05 01 01 01 01 01| ((((t( . 

01 00 00 00 00 00 00 00 00 01 02 03 04 OS 06 07 08 09 OA OB FF C4 00 BS 10 00 02 01 03 03 02 04 03 05 05 04 04 00 
00 01 7D 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 Al 08 23 42 B1 Cl 15 52 D1 FO 24 33 62 
72 82 09 OA 16 17 18 19 1A 25 26 27 28 29 2A 34 35 36 37 38 39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 SA 
63 64 65 66 67 69 69 GA 73 74 75 76 77 78 79 7A 83 84 BS BE 87 BB 89 BA 92 93 94 95 96 97 98 99 9A AZ AI A4 AS AG 
A7 AB AS AA B2 B3 B4 BS B6 B7 B8 B9 BA C2 C3 C4 CS CE C7 CB C9 CA D2 D3 D4 DS DE D? DS D9 DA El E2 E3 E4 ES EG E7 
E8 E9 EA Fl F2 F3 F4 FS F6 F7 F8 F9 FA FF C4 00 1F 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01 02 03 
1A2 | 04 05 06 07 08 09 OA OB FF C4 00 BS 11 00 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00 01 02 03 11 04 05 21 31 
06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 Al B1 Cl 09 23 33 52 FO 15 62 72 D1 OA 16 24 34 B1 25 Fl 17 18 19 1A 
26 27 28 29 2A 35 36 37 38 39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 SA 63 64 65 66 67 68 69 6A 73 74 75 
76 77 78 79 7A 82 83 84 BS 86 87 88 89 BA 92 93 94 95 96 97 98 99 9A A2 A3 A4 AS AG AT AB A9 AA B2 B3 B4 BS BE B7 
B8 B9 BA C2 C3 C4 CS C6 C7 CB C9 CA D2 D3 D4 DS DG D7 D8 D9 DA E2 E3 E4 ES EG E7 ES E9 EA F2 F3 F4 FS F6 FT FB F9 
FA FP DA 00 OC 03 01 00 02 11 03 11 00 3F 00 F4 DC FC BC OC 51 83 81 83 D2 94 OE 76 D3 BE 91 DF 9A F2 53 49 9D 3A 
B4 45 33 EO 1E 7E BS SC BO C6 47 18 A9 AS 40 41 C9 E4 75 AA ED C7 4E OD 3E 67 7D 44 88 DB E2 91 78 39 PS A7 30 EO 
E7 AD 2C 43 19 C8 AS BB 1A ED 72 58 BE 53 93 D4 DS AS C2 9C 01 51 44 BD F1 D2 AS 61 C6 OF 1E 95 9B GE EC DE 37 06 
20 82 OD 27 05 7A 72 29 BB 70 48 A4 SC F4 38 E2 9A 57 DS 83 GE DE 15 40 63 D7 AT 34 EC 9C 72 79 AG 8C 2F 20 7E 94 
00 4B E6 SD FA 21 21 FD 47 4E 7E 94 AO 1E 33 F9 52 16 CO E9 47 DE 02 9B 61 B2 17 9C 12 3B 75 A7 23 90 BB CD 31 BS 
E8 73 4C 03 6F 27 AD 1C D? 40 B4 7A 16 D2 42 46 OF El 4D 24 17 23 3C D4 28 72 06 3F SA 93 04 9E 3D 7A D2 EC B2 1D 
C7 AF 4C 11 48 CD 82 31 8E 29 09 C6 46 3A 54 63 A9 CD 2B 87 41 F9 CF SE D4 C6 71 D4 FO 5B AS 34 60 P2 4F 7A 8E 52 
77 71 49 42 EE E2 72 6B 42 4F 37 00 BA 76 FC F2 6A 10 46 46 29 41 F9 BF 1C OE 95 4D 77 15 C9 CB 60 9C 74 AG 12 71 
C5 03 22 93 07 24 63 F1 A3 54 OD 81 39 £7 14 D6 24 OE 39 3F 4A 73 12 07 14 9D 32 71 4E E2 DC 06 42 F5 E? E9 4F BD 
B1 51 64 80 7D 45 01 F3 D3 GA 2E EE OS 9D DD 71 52 OC 02 08 E6 AS 89 32 06 2A 64 19 19 CD 1C D7 DB AD 4B 05 B2 9E 
E2 90 92 40 38 38 AG 21 Cl Cl EO D3 BF AF AS 4D DB 29 OC 93 80 73 DE A3 04 OC E3 AO A7 3E 48 23 18 P7 AB B1 ES D4 
75 AT 7B 93 E4 3C 39 3F 74 73 42 B1 03 BC FB D4 7C E4 EO 62 9E BA DB Cl 27 14 AE C7 GE E3 Cl FS 34 Al BA FB D3 42 
70 46 29 CO 73 CO E3 E9 42 12 43 D3 A7 43 D6 91 C9 Cl 20 71 D2 95 78 27 9A 95 54 14 24 OE OD 3B DS 1D CA 4E ED DB 
66 9D C9 03 BS 4E DO 7E 62 98 10 F7 AS DS Bl Al Al 79 03 BB 15 22 E4 53 42 E3 3E BS E3 BA 55 CB 26 AA EO 9D C7 92 
70 OS 28 24 OF 48 CF AD 30 64 74 A7 03 83 DO 54 B7 71 AB 93 44 D8 4E 38 C7 7A 72 B1 CS 41 1B 10 B8 A? AE 39 CE 6A 
35 BO 5B BS 30 03 14 E4 C2 SE OD 31 OF A7 4A 7A 82 33 81 FA 51 76 BS 25 59 BF 07 BS 38 06 9E 8C 36 77 CD 44 09 P4 
A9 22 BE 31 CD 1C D7 OB DS BF EC 7F 4A 82 61 F2 D4 E7 EB 51 38 3B OE 69 2B B7 AB 26 51 91 7B 53 17 AO 06 A4 7E FD 


Highights - 
a I 

= Offset Length Valve Source 

Values Tags Highlights 


Length 0110091 ‘Offset x0 Selection: 00 


The Hex view tab contains the following sections: 


Hex tabs 


>» Address column: The number of information column in Hex or Decimal value, displaying 
the start address of each row in the Hex and ASCII representation data sections. 


» Hex data view column: The Hex data of the selected item. 
» ASCII representation view column: The ASCII representation of the Hex data. 


An information frame automatically appears when you position the mouse over the 
information displayed in the Hex view. The information frame displays links [pointers] to 
analyzed data items, such as files and folders in the project tree, and search results 
associated with the pointed data. 
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Hex view toolbar 


araeo yo 


Copy 
Selection 


Ja 


A 


B fer 


Enable Info 


Frame 


Show ASCII 
view 


Locate file 


in tree 


-e--»- P005 


Click to save the entire memory extraction to a local folder. 


Copy the currently selected content of the Hex View tab to the 
clipboard. 


Displays the Find dialog to search for all occurrences of specified 
information in the displayed Hex display pane. 


Displays the Find dialog box with the search parameters used in 
the latest search. 


Bookmark the currently selected content of the Hex display pane. 


Redirect the offset to specific address in the content of the Hex 
display pane. 


Toggles on/off the display of floating information frame at the 
cursor location. 


Toggles on/off the left address column display. 


Toggles on/off the right ASCII representation column display 


Locate the file in the data tree. 


Analysis information tabs 


Located under the Hex view tab are Analysis Information tabs that display the following types 
of information related directly to the displayed Hex data: 


» Values - A wide array of value interpretations, such as 8, 16, 32, and 64 bit, various string 
encoding, date & time formats, and more, calculated on the fly for the currently selected 


data in the Hex view. See Working in the Values tab (below). 

» Tags - A list of tags added in the displayed Hex data. See Working with Hex tags [on 
page 398). 

» Highlights - A list of content segments markups highlighted in the displayed Hex data. 
The number of highlight results is shown in brackets next to the tab name. See Working 


in the Highlights tab (on the facing page). 

» Search - Displays results of a search in the displayed Hex data. A new search results tab 
opens for each search query performed. The number of results for each search is shown 
in brackets next to the tab name. 


You can rearrange the display of the Analysis Information tabs to suit your preference: 


» Double-click the header strip of the section to display the entire section as a floating 
panel. Double click the floating panel header strip to dock it back to the default location 
(at the bottom of the Hex View tab]. 


» Double click the name label of any tab to display it as a floating panel. Double click the 
floating panel header strip to dock it back to the original location. 


» Drag the name label or floating panel over any of the docking labels that appear to dock 
it at that location in the Hex View tab. 


5.2.3.6.1. Working in the Values tab 


Decode the raw data to a variety of encoding types in real time, and expand them in the 
Values list. 


1. To access the Values tab, click the Values tab at the bottom of a Hex view tab. 


Welcome Learnmore © Extraction Summary (1) O Timeline (11648) O Images (51827) e x 
Hex View  Imageview File Info 


asam ~|- -= ajaja] = 


FE D8 FF EO 00 10 4A 46 49 46 00 01 01 00 CO 01 00 OL 00 00 FF E1 00 58 45 78 69 66 00 00 4D 4D GO 2A 00 00 00 08 
00 02 01 12 00 03 00 00 00 01 00 01 00 00 87 69 00 04 OD OO AO 01 00 00 00 26 00 00 00 00 OD 03 AO 01 00 03 00 00 
00 01 00 01 00 00 AD 02 00 04 00 00 OD O1 00 00 02 FD AD 03 GO 04 00 00 0D 01 00 00 03 05 0D 00 00 00 FF DB 00 43 
00 01 01 01 01 OL 01 01 01 01 01 01 01 O1 01 01 01 0L 01 O1 01 01 01 01 O1 01 01 01 01 0l 01 01 01 01 01 01 01 OL 
01 01 01 01 01 01 01 01 01 01 01 01 01 O1 01 01 01 01 01 01 01 01 01 01 01 01 01 FF DB 00 43 01 01 01 01 01 01 01 
01 01 01 01 01 01 01 01 01 01 01 01 01 O1 01 01 01 01 OL 01 01 01 01 01 O1 01 01 01 01 01 01 01 01 01 01 OF 01 OL 
01 01 01 01 01 OL O1 01 01 01 01 01 01 01 01 01 01 01 01 01 FF CO 00 11 08 03 05 02 FD 03 01 11 00 02 11 01 03 11] .. 
01 FF C4 00 1F 00 00 01 05 01 01 01 01 01 01 00 D0 00 OD 00 AO 00 00 01 02 03 04 05 06 07 08 09 OA OB FF C4 00 B5 |.. 
10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7D 01 02 03 OO 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 |.. 
91 Al 08 23 42 BL Cl 15 52 D1 FO 24 33 62 72 82 09 OA 16 17 18 19 1A 25 26 27 28 29 2A 34 35 36 37 38 39 3A 43 44 |.. 
45 46 47 48 49 4n 53 54 55 56 57 58 59 5A 62 64 65 66 67 GA 69 GA 73 74 75 76 77 78 79 7A 83 B4 85 86 AT 88 89 BA 

92 53 94 95 36 97 98 59 5A A2 AS Ad AS AG A7 A8 AS AA D2 B3 B4 BS D6 B7 BA B9 BA C2 C3 C4 CS C6 C7 CA C9 CA D2 D3 
D4 DS D6 D7 DE DI DA El E2 E3 E4 ES E6 E7 EB E9 EA Fl F2 F3 F4 FS F6 F7 F3 F9 FA FF C4 00 1F 01 00 03 01 01 01 01|.. 
01 01 01 01 01 00 00 00 0O 00 00 01 02 02 04 05 06 07 03 09 OA OR FF C4 OD BS 11 00 02 01 02 04 04 02 04 07 05 04 |.. 
04 00 01 02 77 00 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 31 Al Bl Cl 09 23 33 52 FO 15 | .. 
62 72 Dl OA 16 24 34 El 25 F1 17 18 19 1A 26 27 28 29 2A 35 36 37 38 39 3A 43 44 45 46 47 48 49 4a 53 54 55 56 57 
58 59 5a 62 64 65 66 67 68 69 GR 72 74 75 76 77 78 79 7A B2 82 84 35 86 B7 BA AS BA 92 92 94 95 96 97 38 99 OA A2 
A3 A4 AS AG AT Ad AD AA B2 B3 B4 BS BG B7 BA BS BA C2 C3 C4 CS CG C7 CA C3 CA D2 D3 D4 DS D6 D7 DA D9 DA E2 E3 E4 
ES E6 E7 E8 E9 EA F2 F3 F4 FS F6 F7 F3 F9 FA FF DA 00 OC 03 01 00 02 11 03 11 00 3F 00 FE 68 BF El 38 D7 BF D2 FF 
00 E2 69 7B 67 FF 00 5E 1A 88 FD 7F CF FS 15 C7 FD AS FA FF OO ED DE 7F 77 FD EA 77 7B 19 77 56 FF 00 32 DD BF C4 
QF 14 69 FO 11 FD A9 7B FE 73 CF F9 39 A3 {B 52 FA 77 BF FE DD FD 7F E0 21 EC 24 F4 EF A7 DF F3 OF F8 5A 1E 32 B7 
27 EC FA FS EF FA 6F F8 7E 79 FD 7B D4 FB 78 BD 7B EB F7 FC 89 FE CB BE BD EF EB Fé BF AF FC 04 B7 6F F1 83 C6 56 | '. 
FO 5A 7D 9B 54 FF 00 AF 2F GF GF 7E BF E7 DE 87 5A 2D 3° 2F SF F2 OF EC BB GR ER FF 00 B7 7F SF FA 09 AD GF F1 C3 |. 
C6 56 FF 00 65 FF 00 4A FF 00 OF ES 9F GF GA ES 7A BB F7 39 1D 2B 36 B9 76 7D FF 00 £0 87 FC 2F SF 19 5B CE 7E D3 | ~ 
75 FE 97 D7 AE 38 EF 8F FF 00 5D 04 BA SA 3F 77 A3 EB FF 00 04 B7 6F FB 40 78 CB FD 12 EB ED SE FF 00 E3 FE 7F FA 
F5 D5 ED Aa FD SF FC AF 25 P1 AA SD BR 3D DF 4F SF F2 66 B7 FC 24 87 BC FF 00 ER F3 F9 75 FF 00 3E F9 AZ DR 47 FA 
BF F9 07 DS AA SF 67 BF FS FF 00 93 35 BF El A7 FC GS FF 00 1E BF Fl F9 F6 DF C7 FC FF 00 93 ED 47 B6 BF FS 7F F2 |.. 
3B 7D 8C BF AF F8 72 DD C7 ED 31 E2 8B 7C FD A4 FD AF FC FD 7F CF 1C Di ED A3 FD 5F FC 83 D8 CB FA B7 F9 96 ED FD |; 


Values Tags Highlights 
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Select a data segment in the Hex. 


To display the decoded data, scroll to the desired encoding, and click & to expand the 


display. 


Some encoding options, such as 16 Bit, have sub-encoding types. 


4. Fully expand or collapse all encoding types by clicking 2S or @. 


5.2.3.6.2. Working in the Highlights tab 


The Highlights tab contains a list of content segments that are highlighted in the displayed 
Hex data. Each segment represents locations of analyzed data within the Hex. The Highlights 
tab enables you to locate particular types of analyzed data in the Hex. The number of 


highlight results is shown in brackets next to the tab name. 


1. To access the Highlights tab, click the Highlights tab at the bottom of a Hex view tab. 


70 05 28 
35 BO SB 
AS 22 BE 


Highlights 


more © Extraction Summary (3) 


jew File Info 


EF D8 FF £0 00 10 


0A OA 09 
1F 2D 30 
28 28 28 
28 28 28 
00 00 00 


00 01 7D 01 02 03 


OA 16 17 
66 67 68 
AA B2 B3 


E8 E9 EA Fl F2 F3 


07 08 09 
51 07 61 
29 2a 35 
79 7A 82 


BB BS BA C2 C3 c4 
FA FF DA 00 0C 03 


2O 12 72 
43 19 c8 


20 82 OD 27 05 7A 


9D FA 21 
03 6F 27 
11 48 cD 
42 EE £2 
93 07 24 
80 7D 45 
40 38 38 
93 £4 3c 
co 73 co 
03 BS 4E 
24 OE 48 
B9 30 03 
31 cD 1c 


+-88G% 


4a 
08 
2D 
28 
re 
00 
00 
18 
69 
B4 
r4 
oa 
nm 
36 
83 
cs 
o1 
BS 
as 
72 
21 
AD 
82 
72 
63 
or 
a6 
33 
z3 
DO 
cr 
14 
D7 


46 
oa 
28 
28 
co 
00 
o4 
19 
6A 
BS 
FS 
oB 
13 
37 
84 
c6 
00 
sc 
BB 
23 
rD 
1c 
31 
e 
r 
r3 
21 
3r 
z9 
7 
aD 
z4 
oB 


49 
14 
30 
28 
00 
00 
1 
aa 
73 
B6 
r6 
ze 
22 
38 
8s 
c7 
02 
BO 
1a 
BB 
47 
D7 
se 
42 
a3 
D3 
cı 
T4 
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CEPE] 


= Offset 


Value 


Source 


Values Tags 


Highlights 


length: 0x10091 (Offset 0x0 Selection: Ox0 


2. In the project tree, click an Analyzed Data folder (for example, Contacts). 


The location of the selected folder is highlighted in the Hex view tab, and the list of chunks 
that the folder is comprised of is listed in the Highlights tab. 


119 


5.2.3.7. File Info tab 


Extraction Summary (6) Extraction Summary (1) Call Log (17) © 10gs.db x logs.db-journal 


@ logs.db 


Database view Hex View File Info 
— 


OABECD 
0271A 
0271A 
57344 Bytes 
2 


24 
0x114A5D000 
1/1/2013 12:01:29 AM(UTC+0) 


7/14/2015 7:38:15 AM(UTC+0) 
1/1/2013 12:01:29 AM(UTC+0) 


The File Info tab displays the following information about the data file: 


» FAT - The File Allocation Table of the extended attributes. 

» Date & Time - Created, Modified, and Last Access time stamps of the data file. 

» General- The file size in bytes and the number of file system chunks of which the data file 
is comprised. 

» Offsets - The offset addresses of the data file in the Hex data. 

» EXIF - The embedded EXIF information logged by the camera (if it exists]. 


» File Metadata - The general information of the image [capture time, resolution, size and 
color depth]. 


5.2.3.8. File format viewer 


A file viewer that displays tree-based (hierarchical) formats. It supports the following data 
formats: Property list (Plist), Binary property list (Bplist], JSON, Serialized Java object, 
MessagePack, and SharedPreferences. 


An example is displayed next. 
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@ device_values.plist x 


(0) device_values.plist 


File format viewer Hex View File format viewer File Info 
= 


Search || Clear 


Search results: 0 


a dict={ 


ActivationPublicKey : data = 2D 2D 2D 2D 2D 42 45 47 49 4E 20 52 53 41 20 50 55 42 4C 49 43 20 4B 45 59 2D 2D 2D 2D 2D 0A 4D 49 47 4A 41 6F 47 42 41 4B 77 65 3i 
62 6E 4F 37 56 6A 5A 6E 57 79 43 41 4C 55 6C OD OA 75 67 43 6F 66 6A 76 6E 2F 46 4C 79 53 62 63 62 79 4E 36 33 44 5A 61 43 31 46 51 6A 2F 6D 6D 32 6B 73 31 5A7! 
79 6D 52 67 69 31 64 76 4E 6E 35 59 54 56 37 68 58 69 7A 6A 77 63 55 2F 4C 35 53 4B 67 4D 6D 53 6D 37 GA 58 7A 49 42 57 63 62 32 67 42 41 67 4D 42 41 41 453D C 


ActivationState : string = Activated 
ActivationStateAcknowledged : true = True 
BasebandSerialNumber : data = 11 56 F8 BB 
BasebandStatus : string = BBInfoAvailable 
BasebandVersion : string = 4.52.00 
BluetoothAddress : string = a0:99:9b:53:9b:b0 
BuildVersion : string = 13C75 
CPUArchitecture : string = arm64 


DeviceCertificate : data = 2D 2D 2D 2D 2D 42 45 47 49 4E 20 43 45 52 54 49 46 49 43 41 54 45 2D 2D 2D 2D 2D 0A 4D 49 49 43 38 7A 43 43 41 6C 79 67 4177 49424 
44 42 61 4D 51 73 77 43 51 59 44 OD 0A 56 51 51 47 45 77 4A 56 55 7A 45 54 4D 42 45 47 41 31 55 45 43 68 4D 48 51 58 42 77 62 47 55 67 53 57 35 6A 4C 6A 45 56 4 
44 56 51 51 44 45 78 5A 42 63 48 42 73 5A 53 42 70 55 47 68 76 62 6D 55 67 52 47 56 32 61 57 4E 6C 49 45 4E 42 4D 42 34 58 44 54 45 31 4D 44 67 78 4D 44 49 7A OL 
4172 42 67 4E 56 42 41 4D 57 4A 44 49 31 51 54 6B 35 51 6A 41 79 4C 54 4D 34 4E 44 67 74 OD OA 4E 44 51 30 52 69 31 42 52 6B 45 78 4C 55 45 30 51 6A 41 35 4D 6. 
67 54 41 6B 4E 42 0D OA 4D 52 49 77 45 41 59 44 56 51 51 48 45 77 6C 44 64 58 42 6C 63 GE 52 70 62 6D 38 78 45 7A 41 52 42 67 4E 56 42 41 GF 54 43 68 46 77 63 47 
GE 7A 41 4E 42 67 6B 71 68 6B 69 47 39 77 30 42 41 51 45 46 41 41 4F 42 6A 51 41 77 67 59 6B 43 67 59 45 41 72 42 37 78 6A GF 4A 65 44 52 6F 79 OD OA 2F 48 38 79 
53 57 36 41 48 68 2B 4F 2B 66 38 55 76 4A 4A 74 78 76 49 33 72 63 4E OD OA 6C 6F 4C 55 56 43 50 2B 61 62 61 53 7A 56 6E 49 44 35 51 6B 45 6D 42 35 48 GF 65 68 39 
OA 75 46 65 4C 4F 50 42 78 54 38 76 6C 49 71 41 79 5A 48 62 75 4E 66 4D 67 46 5A 78 76 61 41 45 43 41 77 45 41 41 61 4F 42 6C 54 43 42 68 6A 41 66 42 67 4E 56 48 
64 44 41 64 42 67 4E 56 48 51 34 45 46 67 51 55 47 36 59 63 52 43 6A 42 70 74 72 53 4B 51 2F 5A GF 74 48 69 53 6A 64 75 OD OA 57 58 77 77 44 41 59 44 56 52 30 54 
52 30 6C 41 51 48 2F 42 42 59 77 46 41 59 49 0D OA 4B 77 59 42 42 51 55 48 41 77 45 47 43 43 73 47 41 51 55 46 42 77 4D 43 4D 42 41 47 43 69 71 47 53 49 62 33 59 
41 50 42 43 77 58 6A 48 38 4A 77 43 6A 36 58 6D 35 69 2F 35 32 59 4B 6C 70 50 59 32 56 74 6D 77 37 6B 4A 4B 49 61 47 49 4F 71 57 7A 74 6E 38 2F 56 76 4D 48 77 6: 
55 75 35 50 44 45 53 47 35 64 32 66 42 69 56 77 7A 79 30 6C 56 4D 2B 58 69 5A 28 48 50 68 4F 39 OD OA 48 71 62 51 33 63 57 4E 7A 67 32 78 69 47 79 38 31 59 4C 4C 
2D 2D 45 4E 44 20 43 45 52 54 49 46 49 43 41 54 45 2D 2D 2D 2D 2D 0A 


DeviceClass : string = iPhone 
DeviceColor : string = #ele4e3 
DeviceName : string = shirleym’s iPhone 


DevicePublicKey : data = 2D 2D 2D 2D 2D 42 45 47 49 4E 20 52 53 41 20 50 55 42 4C 49 43 20 48 45 59 2D 2D 2D 2D 2D OA 4D 49 49 42 43 67 4B 43 41 51 45 41 7A & 
30 56 55 68 34 36 36 48 74 47 5A 4E 36 OD OA 58 72 53 GE 4D 7A 30 74 4A 49 4A 4B 67 57 30 67 79 6D 64 78 48 71 46 79 59 45 31 59 42 30 76 35 4972 66 SA 4D 43 6 
70 2B 71 68 46 78 37 37 76 31 52 38 7A 41 74 57 54 55 4E 67 48 6D 43 64 48 48 71 41 52 78 65 39 62 4C 38 2F 75 58 31 68 33 6D 66 62 49 6E 32 4A 78 5A 41 48 70 55 
42714179 41 4A 4F 66 76 55 70 55 34 46 53 59 49 2B 2B 6F 67 68 56 49 78 77 33 34 38 67 6B OD 0A 63 72 6A 64 37 32 67 69 GE 52 34 36 31 69 79 54 4C 32 GA GF 45 
32 54 50 7A 7A 78 OD 0A 41 31 34 74 5A 79 32 76 4D 58 37 44 54 61 42 4C 36 37 74 37 64 6F 30 6B 33 75 41 54 2F 2B 42 48 46 77 49 44 41 51 41 420A 2D 2D 2D 2D: 


DielD : integer = 357552343476262 
FirmwareVersion : string = iBoot-2817,20.26 
HardwareModel : string = N61AP 
HardwarePlatform : string = t7000 


HostAttached : true = True 
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5.2.4. Notifications center 


The Notification center provides improved messaging to enable you to work seamlessness 
with notifications that keep you up to date with new features and capabilities of Physical 
Analyzer so you will never miss a thing. In the Notification Center, you can view the latest 
alerts, news, warnings, and completed actions. 


To see your notifications. 


1. Click Notifications O on the top right. The following window appears. 


Notifications Center (6) 


results were found. A 


Hash set imported successfully. 
Hash set name: ProjectVic 


O Total carved locations: 8 


Hash set process completed successfully 


Hash set process completed successfully. 0 
results were found. 


Hash set imported successfully. 


Hash set name: ProjectVic 


| Location carving completed 


View all notifications 


The notification counter resets to zero after the messages have been 


reviewed. 


2. To open the Notifications center, click View all notifications. The following window 
appears. 
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@ Notifications Center (6) x 


(A) Notifications Center (6) 


Category * | Clear All Search Q 


Hash set imported successfully. x Le 
Hash set name: NJ drugs cartel 


Hash set process completed successfully x 
Hash set process completed successfully. 0 results were found. 


Hash set imported successfully. x 
Hash set name: NJ drugs cartel 


Convert BSSID (wireless networks) and cell towers to locations: Time-limited free service x 


This extraction includes BSSID/cell tower values that can be converted to physical locations. 
To start using the BSSID feature, download the database. To enrich cell tower information, use the Export menu to send it by email 
to Cellebrite and import the converted values into UFED Physical Analyzer. 


2A View Instructions 


Recover additional location data: Time-limited free service x 


UFED Physical Analyzer now enables you enrich the location data recovered from mobile devices by converting BSSID (wireless 
network) and cell tower values to physical locations. 
The BSSID represents the wireless network MAC address. To start using the BSSID feature, download the database. 


To enrich cell tower information, use the Export menu to send it by email to Cellebrite and then import the converted values into 
UFED Physical Analyzer. 


View Instructions 


New capability x 
Use the Carve locations feature to extract and decode additional location data from unallocated space and unsupported 

databases. 

To start using this feature, open the device locations and click the carving icon or start the carving process from Tools > Get more 

data (Carving) > Carve locations. 


From this window, you can select the message category type to display, that is: Error, 
Information, Success, or Warning. You can also clear all the existing messages, search for 
a particular message, view details about the message, and hide messages. 
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5.3. Viewing image files 


1. In the Analyzed data tab, go to Media > Images. 


2. Double click on Images to open the Images tab. 


If media classification was run on the extraction, you can double click 
the relevant category to open its tab. See Media classification (on 


a x 
UFED CLOUD nts stanced 
Samsung GSM_SM-G930F G... * eam more © Images(17522) = @ Images - Cars (5) x 
wei 
Table View | Thumbnail View | Folder View Gallery View SES 
* images 


Mame a0363c clean 


Classifications 


In the Images tab, you can select the view you wish to see the images. Available views 
include: 


» Table view 


View a list of all images in table format. Double click on an image to open in a separate 
tab. 


UFED CLOUD =. oe 


19 GSM_SM-G930F G... * © Images -Cars (60) x 


Folder View Gallery View 


* 4 Images 


p” 1 


action: Physical 


>» Thumbnail view 
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View images by thumbnail. Double click the image to open in Gallery view. 


Classifications 


B costo 


>» Folder view 


View the folder structure of the data files paths in the reconstructed file system. Double 
click an item to open in Gallery view. 


ELLEELLE ES 


Ban Bonn 
eT T Oe ee 88 EE OB OBE r 
a JESE aP E Jae 


8 
80828 


» Gallery view 


View images in gallery format, easily scrolling through images. 
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UFED CLOUD =. 


rs (60) x 
F 


sallery View 


„display _2019_1023_1312_uplesdFile 20191022121240265.webp | 10/28/2019 7:26:22 AM +00:00 | 


DCO 


Viewing single images 


1. In Gallery view, click Open in a new tab to view the image in a seperate tab. 


Hex View Image view File Info 
= 


4 NC « 


+ 


The sub tabs for each image include: 


» Hex view - view hex data for the image. 


» File info - view the file information. For example, the File metadata section includes 
information such as the Capture Time, which is the date and time a photo was taken. 
» Image view - Use the image controls as needed. 
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When the image is enlarged, click to navigate the image. 


Rotate image clockwise and anti-clockwise. 


Zoom in and out. You can also adjust the zoom using the slider. 


Zoom to fit the tab. 
Reset the zoom to 100%. 


Hide image controls. 
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9.4. Viewing docs in Physical Analyzer 


To help optimize the review process, you can view all PDF and Microsoft Office files extracted 
from a device (Word, Excel and PowerPoint] in Physical Analyzer. If required you can also 
choose to open the file with the default application. 


For a quick view of PDF and Microsoft Office files: 


1. Go to Analyzed data view and click Documents from the project tree. 


2. From the Documents tab, double-click a file to view it. 


‘Samsung GSM_GT-i9506 Gal. 


> Mom 


[E] 


> O Messages 1534) 


The following window appears. 


© Extraction Summary (2) * © Documents (29) x @ ATT_140370781070?_pdf-sam.. x 


Hex View | DocumentView | File Info 


OB is 


userdata (©xX/Root/media/O/yahco/mai/ATT_1403707810702_pef-sample pa 
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J To move between the next or previous pages of the file. 


(< n > When the image is enlarged, click to navigate the image. 
GJ Rotate image clockwise and anti-clockwise. 

PP Zoom in and out. You can also adjust the zoom using the slider. 
z Zoom to fit the tab. 

ch Reset the zoom to 100%. 

(«) Hide image controls. 


To open the file in another application, click Open with default 


program. 
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5.5. Viewing video files 


1. In the Analyzed data tab, go to Media > Videos. 
2. Double click on Videos to open the Videos tab. 


If media classification was run on the extraction, you can double click 
the relevant category to open its tab. See Media classification (on 


page 346). 


UFED CLOUD mnt Atanes & 


Leammore © Cloud (13) = © Extraction Summary) = — @ Videosli6) x 


Table View | Thumbnail View | Folder View Gallery View 


In the Videos tab, you can select the view you wish to see the videos. Available views include: 
» Table view 


View a list of all videos in table format. Double click on a video to open ina separate tab. 


UFED CLOUD aasa o coomani | (Gor Q) Aane & 


© cloud (13) x © Extraction Summary () = @ Videos (16) x 


‘Thumbnail View Folder Vi View 


date vw [aw [ity eee aoa 


| 


+ Fite 


a default progem) | Exo 


Actio a 


>» Thumbnail view 


View videos by thumbnail. Double click the video to open in Gallery view. 
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UFED CLOUD =. 


© vieso x 


>» Folder view 


View the folder structure of the data files paths in the 


click an item to open in Gallery view. 


172010 


Lear more © Cloud (13) = O Extraction Summary () = @ Videos 16) x 


Table View Thumbnall View Folder View Gallery View 


» Gallery view 


UFED CLOUD =. 


View videos in gallery format, easily scrolling through videos. If media classification was 


run on the extraction, view additional category details. See Viewing classified videos (on 


page 350). 
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UFED CLOUD =. 


© Videos (16) x 


2XgHkapa ua ijLmpt | 


Viewing single videos 


1. In Gallery view, click Open in a new tab to view the video in a seperate tab. 


UFED CLOUD itatni 


© Videos 16) = @ 133591545 756300581432958... x 


133591545 758300581432058 6936686936971838368_n.mpå | 


The sub tabs for each video include: 


>» Hex view - view hex data for the video. 


» File info - view the file information. For example, the File metadata section includes 
information such as the Capture Time, which is the date and time the video was taken. 
» Video view - Play the video, view frames according to media categories. 
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5.6. Redact content 


Manually redact inappropriate images or videos. If a redaction has been performed, a 
redacted thumbnail will appear, and when generating reports, those marked files will be 


marked as redacted. You can also redact all attachments from your report in a single action 
when generating reports [for sensitive data or reduce size purposes). 


The following procedures show how to redact and restore images. You can also perform 


these actions from the Videos tab. 


To redact an image: 


1; 
2. 


Go to Analyzed data > Media > Images. 
Double click to open the Images tab. The following window appears. 


O Extraction Summary (2) @ Images (24121) x 


Table View | Thumbnail View | Folder View 


2005, 


— V | 1 Filters applied ” Clear fiters 


Type: Images 
Siz 


2255 
Path: userdata (E<X)/Root/data/comnimbuzz/datatases/ 


Select the images. 
Right-click the images and select Redact. 


or 


^ » Images Goto ~ 


From the Actions menu select Redact lor use the hotkey Ctrl + F6). The following indicates 


4 


hat the image is redacted. 
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To restore a redacted image: 


1. Select the images. 
2. Right-click the images and select Restore. 
or 


From the Actions menu select Restore. 
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6. Locating and analyzing information 


This section describes how to browse, search, filter, bookmark, and manage the information 


in your project. 


6.1. Searching for information in a data tab 


In Table View tabs, search for a particular item within the data table. The search is 
performed on all the data entries within the table. 


» Inthe Table Search box, enter any string. 


The table updates to display only items containing the string you entered. 


6.2. Using the quick filter 


To improve accessibility the filters are now grouped under simple menus. An example is 
displayed next. 


Filters ¥ 


Known images d 
Deleted r 


5 ii Bas 


Size 


v 
Metadata >| ¥ JPG 
@© Capture time p| v GIF 
Related items p || v BMP 
Direction p| v 
@ Attachments > 
& Tags 


Use the quick filters to filter data in Table View tabs. 


Display native or non-system images. Filter images that come 


Only-non with the device or as part of an app installation. By default, all 


system system images are filtered. You can change this setting under 


Settings > Data Files. 
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Display all items. This filter overrides the filters applied with the 
B= Show all following three filters: Only selected, Only unselected, and 


Deleted. 


Display only items that are selected. 


Display only items that are not selected. 
unse ER Pay ny 


Display only deleted items. 


Display all images. This filter overrides the filters applied with 
Show all 


. the following three filters: Display images above 30 KB, above 
image sizes 


100 KB, and above 500 KB. 
Display 
images above | Display only small images above 30 KB. 
30 KB 
Display 
images above | Display only medium-sized images above 100 KB. 
100 KB 
Display 
images above | Display only large images above 500 KB. 


500 KB 


Filter images 
(by signature) 


Filter image and video files by Metadata (All, Without metadata 
Metadata or Has metadata) and Location (All, Has location or Without 
location). 
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Click to enable file type filtering: JPEG, GIF, BMP, or PNG. 


-f 


( Capture time 


Translation 
filter 


elated items 


Translation 
commands 


Attachment 
filter 


Attachment 
source app 


Filter image and video files by capture time. The maximum 
range is displayed by default, and you can select a specific date 


and time range. 


Filter translated text to display all text, translated text or text 


that has not been translated. 


Filter related items for extractions, which is very useful when 
working with the Multiple Extractions feature (see Analyzing 


multiple extractions [on page 70)). All displays all items, Only 
deduplications displays only items that include deduplications 


(duplicate or redundant data), Only non-deduplications displays 
only items that do not include deduplications, and Only items 
with additional data displays only items that include additional 
information. 


Translate all or selected texts, or delete translations. 


Open a conversation tab that displays the item and related 


messages. 
Open all messages within a conversation in a table view. 


Filter data files with attachments. All is for all data files 
Attachments is for data files with attachments, and Not 


attachments is for data files that are not attachments. 


Filter attachments that were sent or received. All is for all 
attachments, Sent is for attachments that were sent, Received 
is for attachments that were received, and Unknown is for 


unknown attachments. 


Filter by the attachment’s source app. All apps in the extraction 


are listed. Select the apps to display and then click Finish. 


fro Tag selected items. 
$ Remove a tag from the selected items. 
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Open the Manage tags window. 


Open the SQLite wizard to build SQL queries and map database 


fields to Physical Analyzer models. For more information, see 


SQLite wizard [on page 307). 


Hide/view Hide the lower pane with map item details. Click again to open 


lower pane the pane. 


Hide/view Hide the right pane with item details. Click again to open the 


right pane pane. 


Export the current view to an Excel (only hash values], Excel, 
HTML, PDF, XML, Word file, Project VIC [JSON], or GriffEye 
format (* C4P Index.xml. You can import the exported image or 


video files into Griffeye using a C4All XML data source. 


Location filter | Filter the locations displayed on the map. 


Retrieve a physical address for the selected location. 
address 


Group selected images or videos by time captured/recorded, 
LI Group by created, modified, accessed, or deleted, or by camera make or 
model. 


amen i Remove all applied filters. 
filters 


The toolbar items are context-sensitive, and only appear when relevant 
data is displayed. 
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6.3. Using the advanced filters 


In any Analyzed data or Data file window, the listed results are filtered by column. Click on 
the relevant column heading to view filter and sort options. An example is displayed next. 


© Extraction Summary (2) =  @ SMS Messages (210) x 


zou zon zo m 
> SMS Message Soto © 


© -+ 
| zan 


Timestamp: 9/9/2019 9:0909 AM(UTC+0) 


Delivered 
= Q| export Filters Actions * ( se: als Read: 
we Status: Reed 
D = 5 imestamı ~ | Det Y Rea + Folder ~ Parties 
DO w sje |S |x| |S p ass ji : Barmi Asancad Laja 
E :: -~ E o 
KA Sort Descending Source file: 
r 2 io From: 00099888888 
All timestamps 
i 3 Sit aaa z From: 90088777777 
1 4 (G From: 00099666666 i 
< May 2020 > t May 2020 > Parties 
v 
r a 5 < = = From: 00099999999 Data All 
rT 6 € 2 
Toz z 12 Body [1] w 
a Gq ik 3 ee 8 8 34 567 8 8 
1 a 7 ¢ aay 
0 1 Boa 5 16 wn RB 4 8 6 ininboxUnre 
i š ¥ IninbexUnread 
v6 oaa 7 2 w oan 3 
Li 9 < a as 26 [27 28 2 30 ua 25 26 [27] 28 29 30 
LI a w Cd =n sid i 
K m] Winna 
C] n Cia diy hemes PS a mS] 
' ¢ <=“ = 
I 3 A 1123/2015 7:11:04 AM(UTC =. Inbox 
1 u AE 1722/2015 32337 PMUTC+. Inbox 
1 a 6 A 11/17/2015 10:29:07 AM(UTC. Inbox From: +4477814706! 
Li af 111772015 73752 AMUTC>, Outbox To: 0543107407 Jar 
i t x Q 114/2015 51:12 AMUTE +0) Inbox From: 11111111 Ge 
I 1 x gw Sent 


Tota:210 Deduplication: 2 


items: 208/208 Selected: 208 


When a filter is selected, only relevant results will be displayed. 


6.4. Using advanced search 


Using the new Advanced Search capability, narrow the scope of queries by applying filters 
and specifying additional requirements for a search. This functionality enables: 


» Multiple keywords search 
>» And, or and exclude 
» Searching in files content 


To start using the Advanced Search: 


1. Click Advanced at the top right of the screen. 


Advanced 


The following window appears. 
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© Any of these terms: e.g. Apple, orange, tomato 
All of these terms: e.g. mackinaw peaches, Jonathan apples 


None of these terms: 


Search in: @ SOMA _iOS_12.0_iOS Method1.fuzzy 


oO Search file contents 
Note: This process may take several minutes. 


Enter any, all or none of these terms. 
Use a comma to separate terms. 


Select the project (or search all projects). 


Ci ee oS 


Optionally select Search file contents to search in the contents of files within the extracted 
device [including file formats such as XML, plist, txt, DB, PDF, xlsx, DOCX, etc). 


6. Click Search. 


Search results are presented in a separate Advanced search results tab, where you can 
view results, tag and mark items to include in your report. 


@ Advanced search results:(3) A... x 


@ Advanced search results:(3) Any:(‘sticker’) 
8=| Filters» Actions ¥ | Table Search Q x Chat eon o 
-v s: S Type v Fields ¥ | Content 
Hg > & 
a 2 Chats Messages Se Chat: 1D: ‘ONE_TO_ONE:100009393292710:100 
ou sent a sticker{ 009710616327 
= Source: Facebook 
a 3 Chats Messages Le Chat: 100009710616327 Start Time: 11/10/2015 5:27:36 PM(UTC+2) 
1000097 10616327 =>: Sure (11/8/2015 10:46:30 AM(UTC+2)) 
Last Activity: 11/11/2015 3:02:56 PM(UTC+2) 
Number of attachments: 5 
z > Extraction: Physical 
Tota:3 Deduplication:0 Items:3/3 Selected: 3 Sae v 


6.5. Searching for information in all open projects 


Use the all project search box in the toolbar to search for information in all open projects. 


1. Type any string in the search box. 
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A list of matching results appear under the search box. The results are sorted by open 
project. Within each open project, the results are sorted by categories according to type [ 
messages, contacts, files, and so on). The number of matching results found in each type 
category is also displayed. 


money x |v ) Advanced 


Show All (5) 


v) Samsung GSM_GT-i9506 Galaxy $4_2020-05... (5) 


v) AdvancedLogical_2020-03-18 Report (0) 


2. Click ©“ to collapse or expand the projects. 
3. Do one of the following: 
» Click È next to the project name to view the results of the search in that extraction in 
a tab in the data display area. 


» Select Show All from the top of the quick results list to display a Search results tab in 
the data display area listing all the matching search results. The matching string in 
each item is indicated. As in the quick results list, the Search results tab lists the 
results by type. An example is displayed next. 


© Extraction Summary (2) O SMS Messages (210) © Search results (money) (5) x 


ve Ste Fields 1D: 
Source: Skype 


Account: galarysttest 
Start Time: 8/13/2015 10339 AMUTC+0) 
y: szo 1743 PM(UTC=0) 
jur attaci 
source file: ta (ExtX/Rcot/dat 
li 


fe rdata A icont/MobileQO/qbiz/html5/351/3gimg.qq-com/qq_product_oporations/ho..- 


a User Dictionary| Word money 


B 
Fa 
Ei 


(6) You can create tags for the global search results items by selecting the 


Tag All or Tag options by clicking ne , however Device Info and folder files 
cannot be tagged. 
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Your recent search activity [up to 20 searches}, including All projects 


search and table search are saved, until you close the application. 


6.6. Browsing the file system 


Physical Analyzer has the ability to reconstruct and display the device file system in a tree 
structure. 


To browse the device file system: 


1. In the File Systems view, click the « or Þ icons at every node to expand the tree item. 


2. Continue drilling down in the file system to explore its content. 


Files in the reconstructed file system display one of the following icons: 


» B- Existing file found in the system 


» [$ - Deleted file data found in the file system 
3. When you reach a file that you want to open, double-click it to display its information in 
the data display area. 


The number information tabs displayed for the file changes according to the file type. For 
example, an unknown file may display only the Hex View and File info tabs, while a jpeg 
image may display additional Image view and Meta data tabs. The default view is Hex 
view. 


For more information on working with Hex view, see Hex view [on page 116) and Working 
with hex data (on page 375) 

4. While the Hex extraction of an image is displayed in the data display area, click a file 
under the File Systems tree to highlight the data portion of this file in the Hex data in the 
data display area. 


6.7. Accessing conversation view 


Communication-based data, such as call logs, email, Instant messages, and so on, can be 
displayed in a conversation view layout for easier and better tracking over the 
communication between two or more parties. You can search for messages within a chat, 
select the messages to include within a report (by default all chat messages are included], or 
export the conversation. 


Messages in the conversation have an indication of how they were sent - 


PC, mobile, or Siri {for native iMessages). 
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In some cases, mainly when messages have been deleted, they cannot be 
forensically placed in a Chat. To maintain forensic accuracy of the 


messages, they will be placed in Instant messages and available for 
review under Analyzed data > Instant messages. 


To access and use conversation view: 
1. In a communication-based data table, select one of the records. 
2. Click 2. 


A conversation tab opens, displaying related items as a conversation between the sending 


and receiving parties of the selected item. 


What's new? UFED CLOUD sauces A |v) Advances k 


7A 


» Instant Message Ge 


Je E n a 
Participants (6) 
agi rae 
© © soccos6se522965 e 
atte € From: 100010483005159 Jarres Bonde 
“ e Participants 
a 


Attachment 


SharedContacts 


3. To translate or delete translated text, click Actions and then select Translate all, 
Translate selected or Delete all translations. 


Conversation View Messages View 


6, 2015 | Tue: 


* > @ Instant Mess 


© -+ 
Source: Skype 
Subject: 
Timestamp: 11/17; 
= — 5 Status: 


Extraction: Physic 


SS Export’ Filters» Actions ¥ E il a Source file; userdz 


Participants (2) 
ipants (2) Translation Commands 


Unknown (owner) 
live:scotticelleb 


ey ¥ Right pane 


@ Sort by 


Participants 


livesscotticelleb 


— ~ Select/Deselect all 7 messages 
Jamescellebond 


live:scotticelleb Q 
© 9 iros 103426 amut») Attachment 
Sources (1) 
SharedContact, 
(OJ Jamescelleb Bond 
Deleted message on Skype. Bod: 
© nnas waso amuTc+0) i) 
Sources (1) 
(A Jamescelleb Bond Map 
© 11/17/2015 10:35:49 AM(UTC+0) Position: B2 
Sources 1 Map Address: 
liverscotticelleb 
<URIObject type="Picture.1” uri="https://apLasm.skype.com/v1/objects/0-neu-d5- Source 
fb7f8c6d0b878d98cc64407592c8529F" url_thumbnail="https://api_asm.skype.com/v1/objects/0-neu-d5- @Locati 
fb7f8c6d0b878d98cc64407592c8529f/views/imgt1" > You&amp;apos:ve received a new picture. View it at: <a Location 
href="https://api.asm-skype.com/s/i?0-neu-d5-fb718c6d0b878d98cc64407592c8529f">https:// 
api.asm.skype.com/s/i?0-neu-d5-fb7f8c6d0b878d98cc64407592c8529f</a> <OriginalName v=""/><meta J Name: 
o 17/2015 103645 AM(UTC +0) i 
Type: 
Sources (1 Origin: 
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4. To export the conversation, click Export. 
5. Select the desired output: 
Excel fal, HTML À, PDF fa, XML l, or Word W. 


6. To change the order of the conversation, click Actions > Sort by and then select Oldest 
message first, or Newest message first. 


7. To filter messages, enter text in the search box or click Filter. 


8. To add or edit tags, click ©”. 


9. Select a check box to include specific messages in the report, {or select all messages or 
no messages). 


Chapter 6: 144 


6.8. Working with watch lists 


Run a watch list of keywords against your decoded data to identify and highlight the 
important and relevant information. Watch lists can either be activated automatically or run 
manually on selected decoded data. 


Watch lists include the following: 


» Run multiple watch lists on the selected project. 

» Receive notifications in the progress bar. 

» View watch list results in a separate Watch List results window. 
» Select, tag and incorporate watch lists results into your reports. 


6.8.1. Creating a watch list 
1. In the Tools menu, Watch list > Watch list editor. The Watch List Editor appears. 


@ Watch list editor 


2. Click + , and select New. The following window appears. 


145 


@ watch list editor — o x 


Enter description ... 


Enter text to filter .. 


Keywords Enter text to filter ... 


Entry Value Match case Whole word Color 


Created on: 27/05/2020 
Last modified on: 


3. In the Watch list name box, enter a name for the watch list. 


4. To set the watch list to find keywords only in Analyzed Data types or data files in the 
project, click Find in, and select the desired types. 


4 Extraction 

>) Analyzed Data 

aV] Data files 
m] Sf Applications 
M] [@) Archives 
JI Audio 
M] Œ| Configurations 
[E Databases 
M] [=| Documents 
m External files 
Images 
Logs 
M] (P) Screen capture 
v Shortcuts 
E Text 
v] Video recording 
M H videos 
Watch list results 
m] Uncategorized 


When you run the watch list, only selected types are checked for matches. 
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In the Enter description box, enter a general description for the watch list (optional). 


To set the watch list to run automatically when you open projects, click Auto-activate. 


Click New to add a new keyword. A new keyword row appears in the Keywords list. 
For each keyword, set the following, as desired: 

» Entry Value: Enter the keyword. 

» Match case: Select to match the case of the keyword 

» Whole word: Select to match the whole keyword. 


» Color: Click ¥ and select the color you want matched keywords to be shown in. 


. Do one of the following: 


» Click Apply to save the watch list and keep the Watch List Editor open. 
» Click OK to save the watch list and close the Watch List Editor. 
» Click Cancel to close the Watch List Editor without saving your changes. 


6.8.2. Editing a watch list 


1. 


In the Watch List Editor, select the watch list that you want to edit. 


2. Edit the watch list parameters and keywords that you want to change. 


3. To filter the keyword list to locate a particular keyword, type the keyword in the Enter text 


to filter box. 


. To edit a keyword, click the relevant keyword in the list, and make the desired changes. 


. To delete a keyword, click X. 


. When you have finished making changes, do one of the following: 


» Click Apply to save the watch list and keep the Watch List Editor open. 
» Click OK to save the watch list and close the Watch List Editor. 
» Click Cancel to close the Watch List Editor without saving your changes. 


6.8.3. Importing a watch list 


The export and import functions enable you to share watch lists and receive watch lists from 


your colleagues. Import existing watch lists [*.csv files] that were saved from or created by 


Physical Analyzer. 


You can also import a CSV file with each keyword on a separate line. This option will import 
the keywords without any formatting and will set all data types by default. 


if 


In the Tools menu, select Watch list editor. The Watch List Editor appears. 


2. Click + , and select Import. 


Browse to the location where your watch list is saved, select the CSV file, and click Open. 


The watch list appears in the Watch List Editor. An example is displayed next. 
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Watch list editor 


= 
| Narcotics 
oon E 


|| Enter text to filter ... 


drugs 
Downers 


Tranks 


moggies 


xX KK KK KK 


Zanbars 


Created on: 29/12/2019 
Last modified on: 29/12/2019 


=e co ee 


6.8.4. Exporting a watch list 


Export watch lists to save the watch list as a *.csv file for later use, or to share with others. 


1. In the Watch List Editor, select the watch list that you want to export. 


2. Click E 


3. Browse to the location where you want to save your watch list, and click Select Folder. 


The watch list is exported. It will be saved by default as [name of watch list].csv. 


6.8.5. Deleting a watch list 


1. In the Watch List Editor, select the watch list that you want to delete. 


2. Click | The following window appears. 


Remove watch list 


A You are about to delete the selected watch lists. Continue? 


Cres Ji no | 


3. Click Yes. The watch list is deleted. 
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6.8.6. Running a watch list 


When you run a watch list from the Watch List Editor, you can select which watch lists to run, 
and on which projects you want to run them. 


1. Select Tools > Watch list > Run watch list. The following window appears. 


Watch list 


Apply watch list to : 


© Root_2018-05-23_ Report 
Samsung GSM_GT-i9205 Samsung Galaxy Mega 6.3 


Select watch lists : 
Drugs2 


Narcotics 


Cancel 


2. Select the open project that you want to run the search on and the required watch lists. 


A tick mark Y shows that the selected watch list is currently active for 


the project. 


3. Click Apply. 


149 


Physical Analyzer searches for keywords in the selected project. When complete, the 
watch list results appear in the Watch Lists tree item in the Insights view. 


If the watch list is assigned to only particular information types {see Creating a watch list 
(on page 145)], only matches to those types appear in the watch list results. 


4. Double-click the watch list results from the tree item to open the Watch list results 
window. 


@ Watch list results: Narcotics (... X 


(o) Watch list results: Narcotics (22) 


ers% Actions ¥ | Table Search a 


R 


-v © Search term Y Matchescount ¥ Type Y | Fields ¥ | Content 


eyg 


ER PER Ss 2; Chat: 100009393292710, 100009710616327 

100009710 }27 =>: https://www.facebook.com/events/859682137402501/? 
ref=1&sic_ -442325505&action_history=%58%7B%22surface% BAM ZZ2permalink%Z2%2C% 
22mechanism%22%3A%22surface%22: e22extra_data%22% 5D%7D%SD (10/7/2015 5:55:08 Ph 
(uTC+3)) 

4 3 powder 1 User Dictionary Word powder 

Fi ae 5 PREA, eee 5) lil Adi A, (2 entries, 0 addresses, 1 note) 
User Id: 9143704, Icon Uri: nttp://mpak-suse 1.akamaized.net/res/usericon/704/icon-9143704-300,jpg 

al 5 white 1 Emails Body = To: jonkangisser@gmail.com , kat.cheme1610@gmail.com 
Fwd: UX Position (3/5/2016 5:35:54 PM(UTC+2)) 

a 6 Eea 1 Emails Body = To: jonathan.kangisser@cellebrite.com , kat.cheme1610@gmail.com 
Fwd: UX Position (3/5/2018 5:32:29 PM(UTC+2)) 

al 7 FFA 1 Emails Body ist a: Joon Kanata area. ene kat chaten)610@ gael oan 

al 8 we 1 Emails aa = To: Donny.Valer@cellebrite.com Donny Valer, To: Michal.Ninburg@cellebrite.com Mic 
Re: UX Position (3/5/2018 5:28:44 PM(UTC+2)) 

ca] 9 ors 1 Beals Body <= Donny-Valer@cellebrite.com 
Re: UX Position (3/4/2018 6:21:22 PM(UTC+2)) 

4 10 white 1 Emails Body = notify@twitter.com 
Ekat cheme, check out the notifications you have on Twitter (2/27/2018 3:55:43 PM(UTC=2)) 

ca] " thee 1 Emails oo = To: Michal. Ninburg@cellebrite.com Michal Ninburg, kat.cheme1610@gmail.com 
Re: UX Position (1/15/2018 9:52:45 AM(UTC+2)) 

2 meg 1 Emails Body <= Michal.Ninburg@cellebrite.com 
Re: UX Position (1/14/2018 4:33:37 PM(UTC+2)) 

B white 1 Emails Body = security@facebookmail.com 
Getting back onto Facebook (10/7/2015 9:57:19 AM(UTC+3) 

ica] 4 drugs 1 Cookies Domain ©) Cookie: _utmz (.drugs.com) 
64061818.1432558390.1.1.utmesr=(direct)jutmccn=(direct)lutmcmd=(none) 

ica] 15 drugs 1 Cookies Domain ©) Cookie: _utme (.drugs.com) 


64061818 


Total: 22 Deduplication: 0 Items: 22/22 Selected: 22 


From this window you select, tag and incorporate watch lists results into your reports. An 
example from the report wizard displayed next. 
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General 


Report Dataset 


Security 


Samsung GSM_GT-i9... 


Report Dataset - Samsung GSM_GT-i9205 Samsung Galaxy Mega 6.3 


{=| Time range filter 


From: 


C Only events between these dates 


To: 


Formatting 
Table Sorting 


HTML Report 


© Data types 
[m] Select/Deselect All 


Application Usage (4828/4828) 
Applications (2857/2857) 
Archives (291/291) 
Audio (164/164) 

LJ Autofill (1/1) 

Calendar (26/26) 

C Call Log (8/8) 

Chats (122/123) 
Configurations (101/101) 
Contacts (417/417) 

L Cookies (744/746) 
Databases (597/597) 

CI Device Events (40/40) 
Device Info (26/26) 

C Device Users (1/1) 

__] Documents (5/5) 

Emails (30/31) 


6.8.7. Locating a watch list 


1. In the Tools menu, select Watch list > Watch list editor. The Watch List Editor appears. 


2. In the Enter text to filter box, enter the watch list name in whole or in part and click a, 


Include items without a timestamp 


Enter text to filter 
Images (3870/3870) 
Installed Applications (321/321) 
Locations (1295/1295) 


C Passwords (211/211) 
Searched Items (43/43) 
Shortcuts (1/1) 
SMS Messages (63/63) 
Text (2668/2668) 
Timeline (2965/2971) 
Uncategorized (10912/10912) 
LJ User Accounts (22/22) 
User Dictionary (176/176) 

{30 
L Web Bookmai 4/4 
Web History (58/58) 
Wireless Networks (1286/1286) 


o 


The list of watch lists is filtered accordingly. 


Apply 
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6.9. Importing and categorizing hash sets 


Hash database files are used to compare the MD5 hash sets of images, videos and files in an 
extraction to databases of known and blacklisted files. This feature provides the capability to 
quickly identify media related to child exploitation, and incriminate predators. Physical 
Analyzer enables you to create hash databases by importing Project VIC and CAID files, and 
matching them against media recovered as part of the extraction, specified with the 
appropriate Project VIC/CAID category. In addition, you can also upload any CSV or text file 
which contains a list of known hash values, and match it against any file recovered from the 
device. 


The Hash set feature supports the following types of files: 


» Project VIC: An ecosystem of information and data sharing between domestic and 
international law enforcement agencies all working on crimes facilitated against children 
and the sexual exploitation of children. Project VIC compiled all existing online child 
abuse Images into a single repository. Each image, whether still or video, has a unique 
identifier known asa ‘hash value.” Using the hash value allows investigators to quickly 
rule images in or out of their searches. For more information, refer to 
http://www.projectvic.org/ 

» CAID: The Child Abuse Image Database. CAID uses the latest technology to transform how 
we deal with images of Child Sexual Exploitation and Abuse. It brings together all the 
images that the Police and NCA encounter. Forces then use the images’ unique 
identifiers - called hashes - and metadata to improve how they investigate these crimes 
and protect children. The Home Office developed CAID in collaboration with the police, 
industry partners and British and international Small and Medium Sized Enterprises 
(SMEs). CAID went live with seven police forces in December 2014. All UK territorial 
police forces and the National Crime Agency are now connected to CAID. For more 
information, refer to https://Awww.gov.uk/government/publications/child-abuse-image- 
database 

» Text and CSV: Any text or CSV file with MD5 hash sets/values in one column with all hash 
set values, without headers. 


For more information, see the following sections: 


Managing hash sets [on the facing page) 

Adding a hash set [on page 156) 

Running hash sets [on page 158) 

Editing, updating and deleting hash sets [on page 162) 
Exporting the hash database [on page 163) 
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6.9.1. Managing hash sets 


This section includes the following: 


» Accessing the hash set manager 
» Moving the hash set database location 


» Connecting to a hash set database 


To access the hash set manager: 


» From the Tools menu select Watch List > Hash set manager [or Ctrl+H]. The following 


window appears. 


ru 
ica} 

textExample 288.0 bytes 2 5/11/2017 16:11 5/11/2017 16:11 Show files ica) o © - 
ica} 


ExternalStationsFile 382.0 bytes 36 5/11/2017 16:54 5/11/2017 16:55 


on ec i | 
Hash set manager 
Import and categorize MD5 hash sets for known files 
Hash set database location: C:\Program Files\Cellebrite Mobile Synchronization\UFED Physical Analyzer6.3.0.205\Resources\HashSets,.DB Connect to existin 
Active project @ Samsung GSM_GT-i9205 Samsung G. È) New 
Name Size No.of records Imported Modified Display Autorun — Stat 
Known files database (Cellebrite) 3/29/2016 00:00 ° a) 


This Hash set manager window displays information and enables you to perform actions, 


as follows: 


Connect to 
eh Link Connect to a new or shared hash set database location. 
existing DB 
Active project List Select the active Physical Analyzer project. 
Create a new hash set. For more information, see Adding a 
New button 
hash set [on page 156). 
Name Field Name of the hash set. 
Size Field Size of the hash set. 
No. of records Field Number of records in the hash set. 
Imported Field Date the hash set was imported into Physical Analyzer. 
Modified Field Date the hash set was last modified. 
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Display Field 
Auto run Field 
Status Field 
Run Button 
Save Button 
Close Button 


Interface display settings for the hash set: Show files or 


Redact files. 


Auto-run the hash set as part of the automatic decoding 


process. 


Indication if the hash set is ready to be run. 


Edit update or delete hash sets. 


Run the hash sets against the active project. 
Saves any changes that you made to the Hash set manager. 


Close the Hash set manager. 


You cannot edit or delete the default hash set: Known files database 
(Cellebrite). This hash set is used to categorize images that appear 
under the Data Files tree item. 


Common/Known Image Filter: As part of the decoding process, Physical 
Analyzer can calculate hash values of any extracted data file, particularly 
for media files. Physical Analyzer automatically filters out common 
images. This saves time that would otherwise be spent reviewing common 
media images that are device files, device icons or images that are part of 
an app’s installation. 


Moving the hash set database location 


If required, you can move the hash set database to a new location. Other users can then use 
the connect procedure below to connect to this new location. 


Depending on the size of the database, moving it to a new location will 


take time to complete. 
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To change the hash set database location: 
1. Go to Tools > Settings. The General Settings window appears. For more information on 


settings, see General settings lon page 421). 
2. In the Hash set area, click Change. 


Hash set 
Hash set database path: C:\JK_Work\ExtractionTypes\SingleProject\Samsung GSM GT-i9205 Samsung Galaxy Mega 6.3 201 Change 
* Moving the database to a new location will take time. 


3. Select the required location. 
4. Click Select Folder. 
5. Click OK. 


6.9.1.1. Connecting to a hash set database 


After a database is moved to a new location, other users can use the connect procedure 


below to connect to this new or shared location. 


To connect to a different hash set database: 


1. Click the Connect to existing DB link. 


The default location is: 


C:\Users\<username>\AppData\Roaming\Cellebrite Mobile 
Synchronization\HashSets\HashSets.DB 


2. Browse to the location of the required hash set database. 


3. Click Open. 
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6.9.2. Adding a hash set 


To add a new hash set: 


1. Click New Í $) New ). The following window appears. 


New hash set | = | 
New hash set 


General 


PROJECT VIC CAID TXT file csv file 


Hash set file Import hash set file 


Name 


Category 
us 
US Category 
A Non-Pertinent A Child Abuse Material (CAM) | Child Exploitation Material (non-CAM) / Age Difficult 
CGVAnimation A Comparison Images A Uncategorized 

Display 

Interface Show files 

Report Show files 

{Cancel oz al 


2. Select the file type: Project VIC, CAID, TXT file, or CSV file. 


After the hash set is added, the selected file type cannot be changed. 


3. Click Import hash set file, select the required file and click Open. 
Enter a name for the imported file or use the default name. 


5. Ifyou are importing a Project VIC file select a category, as displayed next. For each 
category, relevant category colors are displayed. CAID is automatically set to the UK 
category. 


» US: United States of America. This includes the following categories: 


US 


US Category 
A None-Pertinent A Child Abuse Material (.... A Child Explotive (non-C.... CGI/Animation 
A Comparison Images A Uncategorized 


» UK: United Kingdom. This includes the following categories: 


UK 

UK Category 

A Uncategorized A SC Category A A SC Category B SC Category C 
A Prohibited Images Of... A Extreme Pornography Å Indicative/Borderline Unconfirmed 


Ignorable/Discounted A Support Victim ID 
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» CA: Canada. This includes the following categories: 


cA 


CA Category 
A Unknown A Child Pornography Å Investigative Intelligen... Å Other 


6. In the Display area select how the results are displayed. You can show or redact files, for 
each of the following: 


>» Interface: Select how the resulting files will be displayed in the Physical Analyzer user 
interface. 


» Report: Select how the resulting files will be displayed in the Physical Analyzer reports. 


7. Click Add. A new row is added to the table. For information on running a hash set, see 
Running hash sets [on the next page). 


The Extraction Summary window displays information about each hash set 
including: name, file information, date modified, date run, number of 


detected files, display settings, and report settings. An example is 
displayed next. 


Extraction Summary 


Hash set info 


Name NJ drugs cartel 

File info ProjectVicWithVideo&Audio.json (332.8 KB) 
Modified 5/28/2017 11:54 

Run time 5/28/2017 11:54 

No. of detected files 6 

Display Show files 

Report Display Show files 

File info ProjectVicjson (332.8 KB) 
Modified 5/28/2017 11:53 

Run time 5/28/2017 17:41 

No. of detected files 0 

Display Show files 

Report Display Show files 
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6.9.3. Running hash sets 


To run hash sets: 
» In the Hash set manager window, click Run. 


After you run the hash set the matching results are displayed in the project tree on the 
left under Watch list > Hash sets. 


Watch Lists 
Hash sets 
Audio 


Project VIC (1) 


Image 


Project VIC (3) 


Malware scanner 
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6.9.3.1. Examples 


6.9.3.1.1. Redacted images 


An example with redacted image results is displayed next. 


@ cv x 


Ow 


z600 Y Be Ov D+ Ar Be BOVE tony v [Tale sern c un E 


OB | a a D X| K A image © | Size (byte Metadata PaE 


thumbdata3--19672902... userdata (E«tX)/Root/media/O/DCIM/.thum... 2159 


3 _BPIAORC4ZNSASTQppO..._ userdata (ExX)/Roct/data/com.facebookka. 3958 


H 


Physical 
DBIA Koo ehDB AICS 
s  .thumbdats3--1967290299 : Ox60216D 


®) 


4 _BkVIpGIBRtgop3LgNKC... userdata (Ext) Roct/data/comfacebookor.. 2675 


09198b07835b2eb1 te... userdata (ExtX)/Root/data/comJfacebookka... 2648 


®© & 


Name: textBxampletxt 
ype: Text 
Name: textBxampletxt 
ype: Text 
Name: textExample:txt 
ype: Text 


< > 
Total:5 Deduplication: 0 Iems:5/5 Selected:5 Known files:5 Path: userdata (ExtX)}/Root/media/0/DCIM/.thumbnails/.thumbdata3--1967290299/.thumbdata3--1967290299_ embedded _ 


æi) To view the redacted image, double-click the required image and in the 
Image view tab click Restore. 


Hex View Image view File Info 
E 


( © Restore JE 
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6.9.3.1.2. Project VIC categories 


An example with matching Project VIC categories is displayed next. 


ideos Goto 7 
Table Search Q Vid 


Category Events (1) 
Name NJ drugs cartel (US) CGI/Animation 
Use? DIE sent Name: MOV_8237,MOV 
Type: Videos 
Size (bytes): 1243255 
Name NJ drugs cartel (US) A Uncategorized Path: iPhone/var/mobile/Library/SMS/ 


Attachments/76/06/A7D0708F-B5B0-4E36- 


Type ProjectVIC 
ACF9-49E68672812E/MOV_82 
Created: 8/3/2015 01:12(UTC+0) 
Accessed: 8/6/2015 06:51(UTC+0) 
Modified: 8/3/2015 01:12(UTC+0) 
Deleted: 
Extraction: File System 
MDS: 89756a12a38797ca739d! mm 
Source file: MOV 82 ~- 
Metadata 
Camera Software: 84 
Camera Make: Apple 
Camera Model: iPhone 5s 
Record Time: 8/3/2015 04:12(UTC+3) 
Map 
Position: 
Address: 
Map Address: 
NJ drugs cartel 
ProjectVIC - (US) Å Child Abuse 
Material (CAM) 
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6.9.3.1.3. Thumbnail view 


A thumbnail view example, with a Project VIC category is displayed next. 


@ Project VIC (3) x 


© Project vic (3) 


Table View Thumbnail View Folder View 
—— 
= Smo Y -O-0- 
Metadata 
= x 
. Pixel resolution: 3264x2448 
ao Resolution: 72x72 (Unit: Inch) 
Tm Orientation: Rotate 90 CW 
ral PA 
Map 
Position: 
Address: 
Map Address: 
Hash sets 
Name: NJ drugs cartel 
Type: ProjectVIC - (US) Å Comparison Images 


TXT and CSV matches are indicated with a Yellow H as displayed next. 


<DE 
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6.9.4. Editing, updating and deleting hash sets 


You cannot edit or delete hash sets while Physical Analyzer projects are 


open. Close all projects and try again. 


To edit the hash set properties: 


1. Close all open extractions. 
2. Select the required hash set record in the table. 


3. Click eo and select Edit hash set properties. 


4. Edit the properties. 
5. Click Save. 


To update the records in a hash set file: 


This option is useful if you want to add an update to an existing hash set. 


For example, Project VIC sends regular update files. 


1. Select the required hash set record in the table. 


2. Click e and select update file. 


3. Select the file that you want to update. 
4. Click Open. 


When using the Update file function, only additional unique records will 
appear under the Number of records column. Deleted records are not 


indicated. 


To delete a hash set: 


1. Close all open extractions. 
2. Select the required hash set record in the table. 


3. Click 8. and select Delete hash set. 


4. Click Yes. 
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6.9.5. Exporting the hash database 


To participate in the fight against child sexual exploitation and trafficking export and share 
your manually tagged media files. The export creates a JSON file that includes a hash of 
offending photos, which you can share with Project VIC and CAID. The hash can contain all 
the original metadata of the image. 


To export the hash database: 


1. Click ©” to tag your media files. The following window appears. 


Clear All Manage tags 
©) Case tags 
@) Project VIC categories 


A Non-Pertinent (No hot key) A 

A Child Abuse Material (CAM) (No hot key) 

A Child Exploitation Material (non-CAM) / Age Difficult (No he 
CGI/Animation (No hot key) 

A [V] Comparison Images (No hot key) 


A Uncategorized (No hot key) 


Description 


OK Cancel 


You can change the Project VIC/CAID categories under General settings 


> Hash set. For more information, see General settings [on page 421). 


2. Tag your media files using Project VIC/CAID categories. 
3. Select Tools > Watch list > Export Hash database. The following window appears. 
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Export Project VIC JSON 


To participate in the fight against child sexual exploitation and trafficking, 
export and share your manually tagged media files 


Version Location 


@ vic13 


\\ptnas1\Home_Dirs\Jonathank\Documents\My Reports\VIC_US_C Browse 
Database category US 


Media Items All items (9496) 


Selected items for report (5637/9496) 
© Tagged items (Project VIC Categories) 
A |] Non-Pertinent 
A (Child Abuse Material (CAM) 
“Child Exploitation Material (non-CAM) / Age Difficult 
CGI/Animation 


A | Comparison Images 


Only manually tagged files 


Select the project VIC version li.e., VIC 1.3 or VIC 2.0 J. 


Select the current location of the export file or click Browse to choose another location. 
Select the media items to export as follows: 


» Allitems: Includes all media files. 
» Selected items for report: Includes all media files that we marked to be included in the 
report. 


» Tagged items (Project VIC categories): Includes all media files with Project VIC/CAID 


categories. You can also select the check boxes for only the required categories. 


Only manually tagged: Includes the media files that you manually tagged with Project 
VIC/CAID categories. 


7. Click Next. The following window appears. 


» 
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11. 
12. 


Export Project VIC JSON = 


Include metadata 
Export data 


© Only hash values 
Hash values and files 


Í Cancel Back Next 


Select to include all the original metadata of the media. 


Select the data to export. Only the hash values or the hash values and the files. 


Click Next. The following window appears. 


Export Project VIC JSON = 


Contact information (optional) 


Case number Organization 
Name Phone 
Email Title 


(Optional) Enter the case information. 


Click Export. The following window appears. 
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Export Project VIC JSON = x 


File created successfully 


A JSON file was created. Use this file to 
participate with Project VIC or CAID and help make it a safer world. 


13. Click Open folder to locate the JSON file and then share the file with Project VIC or CAID. 


If no files are selected to be exported an error message will be displayed. 


A 


Something went wrong 


An unexpected error occurred. 
Please try again later 
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6.10. Tags 


While reviewing events, contacts, etc., the investigator can tag items for future reference. 
Each item can have multiple tags. A tag is essentially a quick reference you can create on 
individual items: 

>» An Analyzed Data item such as a call from the call log, a contact record, an email 


message, etc. See Analyzed data [on page 89). 
» A Data Files item such applications, archives, configurations, databases, and so on. See 


Data files [on page 90). 


To tag an item: 


1. Click ©”. The following window appears. 


Search tags 


Clear All Manage tags 
(a) Case tags 


e UnknownTag (No hot key) 
@® | | Evidence (F6) 

@ M Important (F) 

@ Pending (F8) 

@ Completed (F9) 


©) Project VIC categories 


Description (optional) 


The window also includes Project VIC or CAID categories. For more 
information, see Importing and categorizing hash sets (on page 152). 
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To display other Project VIC/CAID categories, go to General settings > 


Hash sets. 


2. Choose the relevant tag and click OK. An example is shown next. For more information, 
see General settings lon page 421). 


© call Log 84) 
JEA D- B- 2) YoY err X 


© |X| A co Parties Timestamp 4) Duration Type 


1 
4 
* 


la (] From: 0722135809 7/6/2015 12:52:15 PM(UTC+3) 00:00:17 Incoming 


Basson e From: +16508870260 7/6/2015 12:37:31 PM(UTC+3) 00:00:17 Incoming 


Casco From: 048367286 7/5/2015 2:03:12 PM(UTC+3) 00:00:00 Unknown 


Bescon eS To: 911 5/3/2015 5:15:22 PM(UTC+3) 00:00:00 Outgoing 


A S SBE 


lanana To: 911 5/3/2015 3:18:40 PM(UTC+3) 00:00:00 Outgoing 


[$] 


4/29/2015 11:17:49 AM(UTC+3) 00:00:00 Outgoing 


To remove a tag, click ©. 


The tags you create can be viewed via the Tags tree item. The number of tags in the project 
is shown in brackets next to the section name. You can create or remove multiple tags. 


Double-click the Tags tree item to list the tags in a tab in the data display area. Selected 
tags are included in reports that you generate. 


To manage tags: 


1. Click ©”. The following window appears. 


Define your tags names, colors and hotkeys 


Search tags Q 
a Global tags $ Import £ Export New tag 
Evidence 0 = . F6 
Impotant 0 Em- F7 
Pending 0 Sa X F8 
Complete 0 aa ial F9 


~ Project VIC categories 
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Oe Or ee S 


The window also includes Project VIC or CAID categories. For more 


information, see Importing and categorizing hash sets (on page 152 


Define each tag's name, color, and HotKey, as desired. 


To delete a tag, click @ next to the tag name. 
To create a new tag, click New tag. A newline appears. 
To export tags click Export a list of tag labels. 
To import tags click Import a list of tag labels. 


) 
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6.11. Device locations 


In Physical Analyzer, location data is drawn from different locations within the device. The 
following location data is analyzed: 


Analyzed data > Location related 


Location data in the Locations item is divided into the following categories: 


» Cell towers 

>> WiFi networks 

>» Harvested Cell towers 
>» Harvested WiFi networks 
» Media locations 

>» Favorites 

>» Reminders 

>» Home 

» Entered 

» TomTom 

» Foursquare 

» GpsFix 

» Recent 

» Frequent 


» Wireless networks 

Harvested and non-harvested location information 

Harvested and non-harvested location information is taken from the device database. 

The device location is identified by the device’s GPS information, which is calculated in two 
ways: 


1. Collection - As the device changes locations when traveling with its owner, it collects the 
location Information of each cell tower and Wi-Fi Network Receptor as it enters their 
vicinity. These locations are called “harvested” information. The location calculated in this 
way is considered accurate. 


When the device's Wi-Fi is turned on, the device periodically sends the harvested locations 
to Apple [iPhone devices] or Google (Android devices). The harvested information is then 
deleted from the device. 


When the device Wi-Fi is turned off, or there is no Wi-Fi connection available, the device 
harvests and stores the locations of the cell towers and Wi-Fi networks, and then sends 
the information when the Wi-Fi is turned on, or connection is available. 
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2. Download - The device connects to the location services provider (Apple [iPhone devices] 
or Google (Android devices], requesting location services. Apple or Google send 
information about cell tower and Wi-Fi networks in a ~2km radius. This information is 
saved on the device and is called “non-harvested” information. 


Location data in the Cell towers, WiFi networks, Harvested Cell towers, and Harvested WIFI 
networks categories includes: 


» GPS information - longitude and latitude 
» Accuracy - radius in meters within which the device is located. 


» Confidence - in %. How confident the service provider is that the phone indeed lies in the 
calculated location. 


» Timestamp 
Media locations 
Location data in Media locations is taken from the location stamp associated with each 


media file. 


Analyzed data > Journeys 


Location data in the Journeys item is taken from the GPS applications on the device. The 
categories displayed in this item are divided by application. 


Analyzed data > GPS fixes 


Location data in the GPS fixes item is taken from GPS devices and GPS applications on the 
device. The categories displayed in this item are divided by application and source. 


6.11.1. Viewing online maps 


The maps function is available to Physical Analyzer users with a valid license. The locations 
are presented with an icon displaying the location type. Filter the locations based on multiple 
attributes including date, time and location type. 


There are two options: Online maps (which requires Internet access], and Offline maps [see 


Viewing offline maps [on page 174)). An example of an online map is displayed next. 
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@ Device Locations (49396) x 


(o) Device Locations (49396) 


=| Export * Filters * Actions ¥ | Table Sear 


S a 
o ae j ‘ z [a 
O es i ie 
a s s or locations yo de Sere del Hoyo Fuente el Saz Guadalajara 
Tak Naver tel San Lorenzo de El A f 
Marqués Escorial A Algete overa 
El Escorial 
tóne arial j Galapagar napajaci 
ey Colmenarejo à Deters de Meco ,Henare 
i Arriba 
5 El Hoyo de ERio Valdemorillo 
Pinares 
OPS jatahonda a 
Cebreros Vilanueva de a ay Rozie, 98 Urbanización 
larcon Villalbilla mae 
ajuña 
El Tiemblo reer E ’ Wo 
hg am pete FORCE del Campo 
7 n 
{ruels San’ Martin de ‘Antonia Nuevo, 
Valdeiglesias PEE aAa 
i pei Campo Real 
9 Mondéjar 
la laser ced los ij janda dêliRey  yaidilecha Almoguera 
Villa del Prado Nog 
Cenicientos ANA 
Tielmes 
Almorox El Álamo Morsin da 
40t 39 46.557 N 04" 09° 0031" W he Mn dae 3 
=a ae Tai ———& 
remera 
Escalona ENL” AEE OY NE hes 
BO iw -v : S XA Ọ origin * Timestamp ~ | End time + Position v Aggregated locations ¥ | Map Address 
4 1 k-i 1/13/2011 8:37:55 AM(UTC+0) (32.041300, 34887617) 5 
a 2 k- 1/13/2011 8:37:55 AM(UTC+0) (82.022106, 34.770242) 
a] 3 vy 1/13/2011 837:55 AM(UTC+0) (82.181898, 34.864413) 
A hian 7 Pei 


You can use this 
capability to view all 
location related events 
for a specified address. 
Search for the specific 


location or zoom-in to 
the desired location on the map, and all other location related events that occurred in the 


vicinity will appear on the map. You can search for a location while working in online mode, 
by typing an address, position [coordinates] or the name of a place. 


C. d'Aristides Maillol, 12, 08028 Barcelona, Spain 


6.11.1.2. Device origin 


The Origin column classifies each recovered location record by its origin: Device or External. 
You can view and filter for locations that are related and unrelated to the device user's 
activities. (This does not mean the device has physically been in this location). For example 
A picture taken by the camera on a digital device is classified as a Device location. While a 
picture received on the device is marked as an External location, because the location is 
related to the image sender. Classified locations are highlighted with a different color on the 


map. 


Locations that cannot be classified are shown as Blanks i.e., Unknown. 
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6.11.1.3. Using the map 


Users can browse and search topographically-shaded street maps for many cities worldwide 


Two types of map views are available to users: Road View and Aerial View 


» Road View: Road view is the default map view and displays vector imagery of roads 


buildings, and geography. 


» Aerial View: Aerial view overlays satellite imagery onto the map and highlights roads and 


major landmarks for easy identification amongst the satellite images 
To highlight locations in the table: 


» Click or zoom in to a location on the map. 


z ai 
poia 


Lancastér PT, me 


Heights <a 
> Willow n 
Street omesile: Weide wo 


‘New Providence 


Marlboro -~ (322) 


Little 
Susquehanna Britain 
Trails 


SEAS ee ee eee 
Rising Sun oes 


Related events are displayed on the right pane under Locations. 
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Locations (11) 


eM 1/13/2011 10:37:55 AM(UTC+2) (32.102162, 34.851047) Şa 
a 1/13/2011 10:37:55 AM(UTC+2) (32.102162, 34.851047) 
x 1/13/2011 10:37:55 AM(UTC+2) (32.102162, 34.851047) 
Éè 1/13/2011 10:37:55 AM(UTC+2) (32.102162, 34.851047) 
a 1/13/2011 10:37:55 AM(UTC+2) (32.102162, 34.851047) 
a 1/13/2011 10:37:55 AM(UTC+2) (32.102162, 34.851047) 
a 1/13/2011 10:37:55 AM(UTC+2) (32.102162, 34.851047) 
Y 1/13/2011 10:37:55 AM(UTC+2) (32.102162, 34.851047) v 


oman uk Ww nN EE 


Location Translate Goto * 


Name: 

Description: MCC=425 MNC=1 LAC=5700 
Type: 

Timestamp: 1/13/2011 10:37:55 AM(UTC+2) 
End Time: 

Precision: 17900 

Confidence: 70 

Map: 

Category: Reminder 

Address: 

Extraction: Legacy 


Source file: 


To jump or link to the timeline: 
» Click Go to on the right pane and select Timeline. 


A new Timeline tab appears and the selected location is highlighted in the Table view. 


6.11.2. Viewing offline maps 


View extracted locations using offline maps even without an Internet connection. The maps 
package Installation is required and it is available to Physical Analyzer users with a valid 
license. 


The maps package can loaded to a single installation, or saved to a shared location to which 
multiple users can connect. 


You can choose to use online or offline maps when accessing the device location under 
Analyzed data. 
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To change the default map view: 


1. Go to Settings > General settings > Map section. 
2. Select the desired maps view [Use online maps or use offline maps). 


The offline maps feature uses a light Windows service that opens and 
listens to TCP port 3000. To use this feature, you need to select the 
Install offline maps service check box during the Physical Analyzer 


installation process. If this service was not selected, then you need to 
reinstall the application. 


To download the offline maps package: 
1. Login to MyCellebrite. 


2. In Products and Licenses, click in the Physical Analyzer product box. 
3. In Maps Pack, locate and download the Offline maps package. 


There are a number of offline map packages. You can view extracted 
locations on a worldwide map, and zoom in at a higher resolution to 
view streets in selected continents using offline maps. 


The Offline maps - Worldwide package must be downloaded and 
installed before installing a regional offline maps package. 


To reduce merge processing time when working with a shared location, 
it is recommended that only the user that has the offline maps on their 
machine will install new maps. Other users can still connect to the 
offline maps. 


Merge processing time also depends on network issues and how busy 
the central machine is when downloading. 


To install the offline maps package: 


1. After downloading the relevant offline maps package, in Physical Analyzer, go to Tools > 
Offline maps > Install Offline maps Package. The following window appears. 
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Install offline maps 


Click Load from file once the offline maps package has 
downloaded or click Connect to central location to 
connect to a new or shared location. You can view 
extracted location on a worldwide map, and zoom in ata 
higher resolution to view streets in selected continents 
using offline maps. Note: Connecting to a central location 
database with multiple users may impact performance. 


For more information, click here Connect to central location 


Database destination ee 
C:\ProgramData\TileServerData el 


Load from file 


Installation progress 


Cancel 


Click L- to change the default location where the offline maps are 


installed. 


2. Select one of the following options: 


» Click Load from file to load the offline maps package. Due to the size of the file, the 
loading process takes some time to complete. 


>» Click Connect to central location to connect to a shared location where the offline 
maps package has been saved. 


Connecting to a central location database with multiple users may 


impact performance 


3. The following window appears: 


Vf Installation completed successfully. 


The offline maps are now installed and ready to use. An example of an offline map is 
displayed next. 
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6.11.3. Markers and information windows 


Markers signify the location where a person's device registered. 


The color of the marker signifies which person was registered at a particular location. At a 
low zoom level, markers show the approximate location, and may include the data of more 
than one person. 


The following markers are examples of the types of markers that are displayed in the map: 


At low zoom level, this marker displays a number of recorded locations in a 
particular area. 


Indicates the location of the cell tower that registered the person's device. 


D © x 


Indicates the location of the WiFi network receptor that registered the person's 
device. 


Indicates the recorded location or a media object. 


Indicates the location of an unidentified entity that registered the person's 
device. 


O @ 
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6.11.4. Enrichment of BSSID and cell IDs 


Physical Analyzer enables you to enrich the location data recovered from mobile devices by 
converting BSSID [wireless network] and cell IDs [cell tower] to physical locations. When 
viewing location data, BSSID values are displayed. An example is displayed next. 


a @ Wireless Networks (1189) * Call Log (137) x 


Cloud Data Sources (10) * 


Calendar (15) * Chats (433) x 


© Wireless Networks (1189) 


4-0- BD- V Yim- Oo- ¥ 


—vit (J X| L last Connected 7 | LastAuto Connected © Timestamp End Time 
ica} 1 

m 

m 3 07/12/2015 1508321UTC+0) 


07/12/2015 1449320UTC +0) 


a o7nizz013 140803TC+0} 
mo |7 (07/12/2015 134520UTC+0) 
m e O7/2r2015 12Z70MUTC+0) 
ə 07712/2015 13218370T +0) 
m w o7m2r2015 130659TC-0} 
E (07/12/2015 124403UTC+0) 
@ on 07/12/2015 1225401570) 
a s o7narzos 122235UTC +0) 
“u o72r2015 1218500UTC +0) 
@ |s 07/12/2015 12053517C +0} 
1 07712/2015 1144390UTC +0) 
mo |n 0771212015 11324 1UTC +0) 
u orazrzt5 11:2218C+0) 
2 (07712/2015 110438UUTC +0) 
mo xw 0671212015 0847 100UTC +0) 
07/12/2015 085424UTC+0) 

07/22/2015 0%4827UTC +0) 


E 


Totak1189 Deduplication:5 Items: 1164/1184 Selected: 1164 


~ fesso 


h18:54:72775a:98 


|18:54:727750:92 


|18:54727752:98 


|18154:72776a:93 


|18:54:12775a:98 


|18:5472775a:92 


h18:54:727752:02 


h18:54727752:98 


hss7276096 


185472775202 


|18:8472775a:98 


h18:54:727752:02 


|18:54:72775a:98 


h18:54727763:92 


Cellebrite.Mobiie 


Cellebrite.Mobite 


Cellebrite.Mobiie 


Cellebrite Mobile 


Cellabrite.Mobiie 


Cellebrite.Mobiie 


Cellebrite.Mobite 


Cellebrte Mobile 


CellebriteMabite 


Cellebrte Mabie 


CellebrteMobile 


Celebre Mabie 


Cellebrte Mobile 


Cellebrite Mable 


Cellabrite.Mobii= 


Cellebite Mobile 


Cellebrite.Mobite 


aie [Got 7 


186472775200 
Cellebrite Mobile 


(07/12/2015 14:2828UTC+0) 


comgecgleandraidappegce 


Map 
Postion: 
Map Address: 


Source 


Location Trarsiate | Gata > 


Cellebrite Mobile (18:6472 728) 
t comgoogleandroidapps.acs 


yi 07/12/2015 142928(UTC+0) 


Wireless Networks 


Extraction: Physical 


=) If all BSSIDs/cell IDs have already been enriched, then the Enrichment 


feature is not available. 


6.11.4.1. Online enrichment 


To enrich BSSID and cell tower IDs (online): 


1. If you have an Internet connection and you open an extraction with BSSID or cell IDs, the 
following window appears [the first time only). 


New: Data Enrichment Services Platform 


Cellebrite is pleased to announce the launch of our new 
complimentary, online platform that provides a growing number 


of services such as location and attribution enhancements. The 
first available service is location enrichment from wireless 
networks (BSSIDs) and cell towers (Cell IDs) enabling you to: 


+ Collect more data to make informed decisions 


« Save time by collecting data from multiple sources 
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Click Got it. The following window appears. 


Enrich your location data 


This extraction includes wireless networks (BSSIDs) or cell towers 
(Cell IDs), which you can enrich by converting to physical locations. 


Clicking Enrich will send the location data to the Cellebrite Data 
Enrichment Services Platform for conversion. Once this process 
completes, you will be notified and the coordinates will be added 
under Device Locations. 


Disable this service under General Settings > Data enrichment. Skip | 


3. Click Enrich to convert to the physical locations via the Enrichment service. 


You will receive a notification when the process completes and the new 
locations will be added under Device Locations. 


=) You can also access Online enrichment from Tools > Enrichment of 
BSSIDs and Cell IDs. 


6.11.4.2. Offline enrichment 


To start using the BSSID feature, first download the database. This is an offline solution and 


does not require an Internet connection. 


To download the BSSID database: 


1. Login to MyCellebrite. 
2. Click the Downloads tab. 
3. Download the BSSID database. Make note of the location. 


To aid the download process, you can optionally download split 
database files (10 files, 6 GB file size] and load these files into Physical 
Analyzer. These files will be merged into a single database file, but the 
files must all be located together. When you load the split files, you 
need to select the main [or first) database file. 


You can save the database to a network location for use by multiple 
users. 
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To install the BSSID database: 
1. From the Tools menu, select Enrichment of BSSID and cell IDs and click Install. The 


following window appears. 


Click “Load from file" after you download the BSSID database. 
You can convert BSSID values to physical locations. 


| Load from file | 


For more information, click here | Connect to existing DB | 


Database destination _ 
Installation progress 


2. Click Load from file to use the database on your computer or Connect to existing DB to 
use a database saved on your network. 


3. Navigate to the location of the database and click Open. The database is installed. 


Once the BSSID database is installed, Physical Analyzer converts the BSSID values to 
physical locations. An example is displayed next. 


@ Locations (49393) x Extraction Summary (1) x Extraction Summary (1) X Images (1) x Call Log (10) x Videos (1) x 


© Locations (49393) 


ER- O- B- B® (ll n O©G- y Table Sea a Location ranslate a. 


aaao 
i 


Name: Bezeq-N_fediac 

Description: BSSID: FO:7D:68:FEI:AE SSID: Bezeq- 
N fediac 

Wireless Network Last Auto Connection 

Timestamp: 1/11/2011 8:45:11 PM 


Source file: iPhoneDump/AFC Service/private/var/ 
preferences/SystemConfiguration/ 
wapplewifipli ize: 
bytes) 
Source 
320Z ST NIE 10 1032'E “ 
Soa | — Bnei tome JE 
BSSID: FOTDSBFESLAE 
* End Time * Position v T Map Address vY Description vY | Address Sid: Bezeq-N_fedlac 
Security Mode: 
11:09:39 PM (31848140, 35.170343) BSSID: 1CAF:F7:6F048E SSI iOa 11/27/2010 9:34:53 PM 
Timestamp: 


10629 PM (31904127, 34.814644) BSSID: 00:189E7A793F SSL. End Time: 


Package: 
53207 PM (31024358, 33.705452) BSSID: 00:10£7:8501:84 SSL- pei 

M Extraction: 
Source file: 


Tota: 77 Deduplication:O Items: 77/49141 Selected: 77 


To enrich BSSID and cell tower IDs that are not in the database: 


1. Select Tools > Enrichment of BSSID and Cell IDs > Export to generate an XML report with 
unenriched BSSID and cell tower values. 


Email the report to enrichment(dcellebrite.com. 
You will receive an enriched report with converted positions via email. 


Select Tools > Enrichment of BSSID and Cell IDs > Import to import the enriched report to 
the current project. 
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To disable the automatic conversion of BSSID and cell tower IDs to physical locations: 


1. From the Tools menu, click Settings. 
2. Under General settings, scroll down to Data enrichment. 
3. Clear the Convert BSSID values (wireless network) to physical locations check box. 


6.11.5. Retrieving addresses 


You can view street addresses for longitude and latitude positions extracted from a device. 
This can then be used to filter the locations. You can select single or multiple locations up to 


a maximum of 1,000. You can retrieve street addresses In the following views: Project 
search, Timeline views and Watch List results. 


To use this feature, you must be connected to the Internet. 


To retrieve an address: 


» In one of the Device locations table views, select a row, right-click and select Retrieve 
address, or click Actions > Retrieve address. 


To retrieve multiple addresses, you can use Ctrl button to select the 


locations. You can retrieve a maximum of 1,000 items. 


X 9 External 8/9/2017 2:23:19 PM(UTC+0) (32.101636, 34.850678) 49000 Petah Tik 

eo 9 External 8/9/2017 2:21:58 PM(UTC+0) (37.827580, -122.4818... Golden Gate Bridge, Sausalito, CA 94965 
aS 9 External 8/9/2017 2:21:37 PM(UTC+0) (37.827580, -122.4818... Golden Gate Bridge, Sausalito, CA 94965 
mS 9 External 8/9/2017 3:21:37 PM(UTC+0) (37.827580, -122.4818... Golden Gate Bridge, Sausalito, CA 94965 


The retrieved addresses are displayed in blue in the column called Map Address. 


To filter locations: 


» Click Filters > Location and then select one of the following options: 
» Show All to display all locations. 
>» With map address to display only locations that have a map address. 
>» Without map address to display only locations that do not have a map address. 


Enriched data will appear in blue indicating this is enriched data from 


Cellebrite and didn't come from the device. 
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6.11.6. Decoding and analyzing drone data 


Drones are becoming more and more involved in crimes including smuggling, carrying 
weapons and even threats to passenger aircraft. Physical Analyzer provides decoding of 
intact and deleted data from popular drone models. 


Supported data artifacts include: Media files, metadata, locations and timestamps, home 
points, elevation, drone identifiers, and deleted data including deleted journeys and home 
points (data that was automatically deleted by the drone]. 


6.11.6.1. Drone flight path 


Each drone flight has its own journey with positions. The positions are presented on a map 
with a flight path, and you can play and visually track the drone’s flight. 
To view the drone's flight path: 


1. Under Analyzed Data > Device Locations > double-click Journeys. 


The A) symbol on the map indicates a drone's flight path. Hover over this symbol to see 
the From point with GPS details including: date, time, longitude, latitude, and elevation in 
meters. 


6/24/2017 07:08 +03:00 
(32.101766, 34.850922) 
Elevation (meters): 79.10 


2. In the right pane, in the Waypoints area, click the Play button to simulate the drone’s 


flight. Click the Stop button to end the simulation. The & symbol on the map indicates 
the To point. 

3. Click a waypoint in the list to indicate its position with a red circle on the drone’s flight 
path. An example flight path is displayed next: 
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& Journey 
[ 


Source file: NONAME 0/FLY905.DAT : 0x421858 (Size: 66134016 
bytes) 


From point 


(82.101893, 34850738) 8/22/2017 16:29 55.76 


To point 


(32.101897, 34850692) 8/22/2017 16:37 56.58 


Position 


Waypoints (522) 


8/13/2017 13:26 8/13/2017 13:27 (32.101804, 34.850871) (32101867, 
ic] 3 8/13/2017 12:05 8/13/2017 12.06 (82.101783, 34.850762) (32.101809, 
v (82.101648, 34.850200) 8/2 


(32.101643, 34850186) 8/22/2017 16:35 


The right pane includes the following information: 


» Journey information: Start time, end time, app name of the drone for this particular 
journey [the user may have more than one drone), source, type of extraction li.e., 
Physical extraction), and source file. 

» From/To points: Longitude, latitude, start date and time, and elevation from sea level 
in meters. 

» Waypoints: A selection of some of the waypoints from the drone's flight path including 
position, timestamp and elevation. 


The Play button is not displayed if there are more than 50 meters between 
waypoints, because this could indicate that the drone’s flight path is not 


valid. 


6.11.6.2. Images/videos 


Images and videos files taken by the drone during flights. Images and videos are displayed 
under Analyzed Data > Media Images > Images / Videos. 


This right pane includes the following information: 


» Details: Image name, type [Images or Videos], size, path, creation date, accessed date, 
modified date, whether it resides in deleted data, type of extraction, MD5, and source file 
name. 


» Metadata (EXIF): Make of camera, Camera model, capture time, pixel resolution, image 
resolution, orientation, latitude, and longitude. 


»» Map: position of the drone on the map, as well as any physical address and map address. 


An example is displayed next: 
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@ Images (48) x 


(2) Images (48) 


Table View Thumbnail View Folder View 


¥ 6 m Y Goto > 
(m) w =v O |X K A Image T Name we é Details : 
8 D10003JPG NO NAME/DCIM/100MEDIA/DJI_0003JPG 
(<a) 9 DJl_0004 PG NO NAME/DCIM/100MEDIA/DJI_0004JPG 
11.0002 JPG 
a 10 D11.0005JPG NO NAME/DCIM/100MEDIA/DJI_0005JPG Nene: Deen 
Type: Images 
Size (bytes: 3841794 
Path: NO NAME/DCIM/100MEDIA/DJI_0002PG 
Created: 1/1/2014 00,08 
u DJL_0006PG NO NAME/DCIM/100MEDIA/DII_0006PG eee 1/1/2014 00:00 
Modified: 1/1/2014 00:08 
Deleted: 
Extraction: Physical 
2 DJ1_0007 PG NO NAME/DCIM/1O0MEDIA/DJI_0007.JPG Mp5: 55bb0f3bba930edcd1f768224e09f978 
Source file: 2J 
Metadata 
ic B D11L0008JPG NO NAME/DCIM/100MEDIA/DJI_0008JPG Crna Make DA 
= Camera Model: FC220 
pes 1/1/2014 00:08 
Pixel resolution: 40002250 
Resolution: 72x72 (Unit: Inch) 
m 14 DJ1_0009JPG NO NAME/DCIM/100MEDIA/DJI_0009JPG 2 ; 
Orientation: Horizontal (normal) 
Lat/Lon: 32101639 / 34.849707 
< > Map 
Totak 25 Deduplication: 0 Items: 25/47 Selected:25 Known files:0 Path: NO NAME/DCIM/100MEDIA/DJI_0002JPG Position: (82.101639, 34849707) 


6.11.6.3. Log files 


The drones log files are located under Data Files > Uncategorized. An example is displayed 
next: 


Table View | Folder View =R 
D- 2- Be BPSD w x Table Search Q | Uncategorized Goto > 
vit S xX A A T Name + Path | Size (bytes) ¥ Created Y Modified me 
2 FLY8O7.DAT NO NAME_ O/FLYBO7.DAT 30662656 7/4/2017 07:43 77472017 1548 A eee 
Type: Uncategorized 
3 FLYBOB.DAT NO NAME_ O/FLYBO8.DAT 32440320 7/4/2017 1548 1/6/2017 1608 Size (bytes): 38400 
Path: NO NAME/MISC/THM/100/D/1.000.THM 
4 FLY809.DAT NO NAME_ O/FLY809.DAT 82608128 7/6/2017 16:08 7/6/2017 1608 y 5 
Created: 1/1/2014 0001 
5 FLYB10.DAT NO NAME_ O/FLY810.DAT 244678656 7/6/2017 1608 7/6/2017 16:08 Accessed: 1/1/2014 0000 
Modified: 1/1/2014 00:01 
6 FLYBLLDAT NO NAME. O/FLY81LDAT 10649600 7/6/2017 1608 7/6/2017 1608 AEH 
7 FLYB12DAT NO NAME_ O/FLYB12DAT 7077888 7/6/2017 1608 7/6/2017 1608 Extraction: Physical 
MD5: 5ed331815600a10e1305cc43187. 
8 FLYB13.DAT NO NAME, O/FLY813.DAT 17760256 7/6/2017 1608 7/6/2017 1608 Source fie DIL OOOLTHM 
9 FLYB14DAT NO NAME_ O/FLYB14.DAT 7864320 7/6/2017 1608 7/6/2017 1608 
Map 
10 FLYBIS.DAT NO NAME. 0/FLYS15.DAT 11173888 7/6/2017 1608 7/6/2017 1608 PEA 
u FLY816.DAT NO NAME_ O/FLYB16DAT 14876672 7/6/2017 16.08 7/9/2017 17:00 ocmess: 
Map Address: 


2 FLYBI7.DAT NO NAME_ O/FLYB17.DAT 11862016 7/9/2017 17:00 7/9/2017 17:01 


6.11.6.4. Log entries 


Log entries that were written to the drone's log file under Analyzed Data > Log Entries. An 
example is shown next: 
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@© Log Entries (70804) 
K- O- B- BS r ¥ Tal Qa! Log Entry Goto ~ 
© |X AL Timestamp Y | End Time | Identifier Y | Severity  * | Body Identifier: 29454906 
~ Timestamp: 8/28/2027 122 

8/28/2017 12:28 27125424 61 [L-FMU/VERSIONBat Ver 3/255.255.255.255 $ pa i i 
8/28/2017 12:28 27125303 61 [L-FMU/VERSION]Me Ver 3.2356 Application: 

Severity 

2017 122 7 -FMU c 

8/28/2017 12:28 27125160 61 [L-FMU/VERSION]Mc ID :07JDD3A001000U aoe FLY917.DAT 
8/28/2017 1228 26311864 51 [L-FDIINS(O} int wat static Extraction: Physical 

Source file: NO NAME 0/FLY917.DAT : 0x271BC 
8/28/2017 12:28 26311568 51 [L-FDIJNS(0): init fdi turn on (Size: 196608 bytes) 

PID: 
8/28/2017 12:28 26217174 51 [L-FDI][BARO(0)] eventiturn on T 
8/28/2017 1228 26216686 51 [L-COMPASSJindex(1) fdi eventturn on eects De 
8/28/2017 12:28 26216430 51 [L-COMPASS]index(0) fdi eventturn on Hooy: “ 

86 [L-BATTERY]power off(3) --> (3.6) 

8/28/2017 12:28 26130938 50 [L-GYRO_ACCJACC(1) fdi event:turn on 
8/28/2017 12:28 26130739 50 [L-GYRO_ACC]GYRO(1) fdi event:turn on 
8/28/2017 12:28 26130538 50 [L-GYRO_ACCJACC(0) fdi event:turn on 
8/28/2017 12:28 26130341 50 [L-GYRO_ACC]GYRO(0) fdi event:turn on 
8/28/2017 12:28 26127088 50 [L-GYRO_ACC]{mark] fmu_gyr_acc get register ack, succeed, global_user_id{) 


6.11.6.5. Device info 


The Extraction Summary displays information about the drone model, when the extraction 
was performed, drone serial number and battery serial numbers. The drone serial number is 
the recovered serial number from the drone’s log files. This number may be different from 
the serial number that appears on the actual drone. The serial number of the battery could 
be the current battery or a previous battery. An example is shown next: 


@ Extraction Summary (1) x 


All Content Physical 
Extraction Summary + Add extraction ® Project settings Generate report 


v) Extractions: 1 


Physical 2 
Drone Dil - Phantom 4 
i <li Physical 


’ XM 
:17(UTC+3) 
\ExtractionTypes\Drones\UFED... 
Device Info © | Device Content © 
07/DD3A001000U 
Battery Serial Number 082AD480311GAR CRA 0 data sources can be extracted using UFED Cloud Analyzer 
082AD5D03115GG ELY8O8.DAT : 0x10 Phone Data 
attery Serial Number 082AD490310ZY9 ELY812.DAT : 0x10965 @® Device Locations 3645 (2812) >] Log Entries 70804 (1098) 
Data Files 
È Audio 20 (4) Ht Configurations 1 
E images 48 (3) @ Uncategorized 164 
=] Videos 11.8) 


Hash set info 
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6.12. Recording screen captures and video 


Use the Capture tool to record screen captures and videos. This enables you to quickly and 
clearly document and explain your digital investigative processes, build visual reports that 
are easy to present and share, and communicate with other personnel more effectively. 


For each screen capture or video recording, you can select an area, enter a label, add notes, 
save to a project or location on your computer, and include it in a report. The screen 
captures and videos can be included in all report formats including UFDR files, which can 
then be presented in Cellebrite Reader. 


ai) To use the Capture tool and play video playback, you need Windows 


Media Player (default version for installed OS or higher). 


To perform a screen capture or video recording: 


1. Click Screen capture i, The screen capture window appears. 


Screen capture 


2. Select Screenshot or Video. 


6.12.1. Screenshot 


1. Click Capture ©, 


2. Select the capture area. The screenshot is taken and the following window appears. 
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D screen capture =o 
File name Category 


Screenhot_20200531-120646 


O Chat (Facebook) (21) @ Facebook Chat (18) x 


i 


Y Export» Filters» Actions + < 


=a 


Cancel Copy to Clipboard Save as a file Add to project 


Use the default file name or enter a new name. 


You cannot use the same file name that exists in another open project. 


Select a category or enter a new category. The system remembers a maximum of 10 
categories. The default category is "No category". The screen capture is displayed under 
the selected category in the project tree. 


Enter any notes to describe the screen capture. 

If required, you can use the Tools on the left to add text, draw shapes, crop, resize, rotate, 
or flip the screen capture. 

Click Copy to Clipboard to copy the screenshot, click Save as a file to save the screenshot 
to your computer lor network location], or Add to project to add the screenshot to a 
specific Physical Analyzer project. 
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Screenshots and videos are added to the Reports view project tree 
under Additional files. 


Tools Cloud Extra 


« 


Samsung GSM_GT-i9506 Gal... 7 


Reports 


v &) Additional files (3) 


v a Screen capture (2) 


Fal No category (2) 
v 8) Video recording (1) 
8) No category (1) 


6.12.2. Video 


1. Enable or disable the microphone a 


2. Click Capture Q. 


3. Select the capture area. The video recording begins. 
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4. Perform the relevant actions that you want to record. 


5. When you've finished, click Stop (n) or Pause 0. The following window appears. 


File name Category 
| ScreenRecording_20185923-115916 | | Other 


Note 


Note 


Cancel 


Save to disk 


6. Use the default file name or enter a new name. 
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You cannot use the same file name that exists in another open project. 


7. Select a category or enter a new category. The system remembers a maximum of 10 
categories. The default category is “No category”. The video is displayed under the 
selected category in the project tree. 


8. Enter any notes to describe the video. 


9. Click Save as a file to save the video to your computer [or network location) or Add to 
project to add the video to a specific Physical Analyzer project. 


Videos can be a maximum two hours long. 
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7. Translating decoded data 


Translate the content in extractions that are in foreign languages without having to wait for a 
translator to become available, or to use Internet-based tools. The Translation feature 
enables investigators to translate decoded data on demand. It is an offline translation 
solution, where you do not need to be connected to the Internet. You can select single, 
multiple or all table entries for translation. Both the original and the translated text can be 
included in reports. 


The Translation feature includes two different options: 


» Smart Translator (below) 
» Basic translation pack (on page 197) 


Contact Cellebrite Sales to include the Translation feature and the 


required language options in the Physical Analyzer license. 


7.1. Smart Translator 


Translate even more decoded data with the Smart Translator, supporting a comprehensive 
range of requested languages. Smart Translator languages includes additional languages 

that are not part of the Basic transaction pack including: Arabic, Arabizi, Persian, Turkish, 
Romanian, Pashto, Vietnamese and Swedish. To use the Smart Translator languages, you 

need to select language pairs. Each language pair is license separately. Contact Cellebrite 
Sales to include the Smart Translator languages in the Physical Analyzer license. 


To upload the dongle license key: 


1. Click Help > Show license details. The Cellebrite Product Licensing window appears. 


2. Click Update dongle license and load the license key that includes Smart Translator 
languages. 


Before you can use the Smart Translator, you must upload the dongle 


license key. 


An example license with the Smart Translator translation languages is displayed next. 
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> Cellebrite Product Licensing 


License source 


Dongle license details Update dongle license 


Your license will expire on January 28, 2019 Show dongle log 


UFED Physical Analyzer license includes: iOS Physical, GPS 


Dongle serial: 1420052904 
Dongle ID: 1A4A Copy 


Software license details Load license file 
0 Your license has expired on February 08, 2017 Deactivate software license 
UFED Physical Analyzer license includes: iOS Physical, GPS 


Translation license includes: English, French, Hebrew, Chinese (simplified), Chinese 
(traditional), Dutch, German, Italian 


Computer ID: E a = = = 


© Help = Sales sales@cellebrite.com 


For a list of the latest supported langauges refer to www.cellebrite.com 


Smart Translator languages are only applicable to dongle licenses. 


If you move a dongle license to another computer, you will need to install 
the Smart Translator languages again. 


Text with multiple languages will not be fully translated. 


Each SDL language engine consumes ~ 1 GB memory (RAM). 


To use the Smart Translator: 


» Installing the Smart Translator languages (below) 


7.1.1. Installing the Smart Translator languages 


You can download the Smart Translator languages from the application or your MyCellebrite 
account. Multiple languages can be selected, but each language needs to be installed 
separately. 
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To install Smart Translator languages: 


1. Select Tools > Translation. The following window appears. 


Examine data in your native language 
More than 120 language pairs available 


This service requires a new license at an additional cost 
Es 
SLA 
SMART TRANSLATOR 


120+ language pairs 


@ Arabic © Spanish 

© Armenian @ Russian 

© Chinese © Japanese 
@ Portuguese @ Vietnamese 
@ Turkish 


Install from file 


For the Basic Translation pack click here 


2. Select to Download or Install from file. As explained next. 


To download the languages: 


1. Click Download to download the languages from the application. Select this option if you 
have an Internet connection. The following window appears. 
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Select premium languages 


Arabic Ic English 


L> o Hello 


Select another languages 


Download language 


2. Select the required language pair to install. 


3. If required, click Select another language pair to install additional language pairs. Each 
language pair is installed separately, therefore the more languages selected the longer 
the installation process takes. Also, due to the size of the language files, they take time to 
download. 


When the installation starts, the following setup window appears. 


Chapter 7: 194 
Oe 


| SDL ETS Arabic-English Generic 7.1.x.0 Language Pair Setu 


SDL ETS Arabic-English Generic 7.1.x.0 Language Pair 


Welcome to the SDL ETS Arabic-English Generic 7.1.x.0 
Language Pair Setup Wizard. 


4. Follow the on-screen instructions to install the selected language pair. At the end of the 
installation process the following window appears: 


_UFED Physical Analyze =) 


In order for changes to take affect you will need to Restart UFED 
Physical/Logical Analyzer application 


5. Click OK and restart Physical Analyzer. 


To install a language pair from a file: 


1. Click Install from file to install a language pair from a file, which has been downloaded 
from MyCellebrite > Add-ons. Select this option if there is no Internet connection, or you 
have previously downloaded the language pair. There is a file for each language pair. 


The following window appears. 
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Once you have the files, upload them here 


1. Go to my.cellebrite.com 


2. Download the basic translation 


3. Load the language files below 


Load language files Close 


2. Follow the instructions, and then click Load language files. 


3. Select the required language and then click Open. 


When the installation starts, the following setup window appears. 


ric 7.1.x.0 Language Pair Setup 


SDL ETS Arabic-English Generic 7.1.x.0 Language Pair 
Setup 


Welcome to the SDL ETS Arabic-English Generic 7.1.x.0 
Language Pair Setup Wizard. 


4. Follow the on-screen instructions to install the selected language pair. At the end of the 
installation process the following window appears: 
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5. Click OK and restart Physical Analyzer. 


7.1.1.1. Uninstalling a language pair 


To uninstall the language pair, go to the Windows Uninstall page, and select the SDL ETS 
Language Pair, (Publisher: SDL plc] from the list. 


Uninstall or change a program 


To uninstall a program, select it from the list and then click Uninstall, Change, or Repair. 


Organize ~ —Uninstall/Change 


SDL ple Product version: 7.1.x.0 
Size: 4.91 GB 
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7.2. Basic translation pack 


This pack includes 14 common languages. You can select up to five languages for free, from 
the My Products page in MyCellebrite. Additional languages are available to be purchased. 
You cannot change a language after saving, but you can request additional languages. If a 
required language is not included in the Basic translation pack, you can purchase a Smart 


Translator language [see Smart Translator [on page 191)). 


If you want to translate to a language other than English, you should 


select it as well. 


The supported languages in the Basic translation pack, are as follows: 


Chinese (Simplified) | Japanese (requires additional payment) 
Chinese [Traditional] | Korean 
Dutch Polish 


German Portuguese 
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Hebrew Russian 
Italian Spanish 


French Ukrainian 


Steps to use the Basic translation pack: 
» Installing the Basic translation pack [below] 
» Selecting the languages in MyCellebrite [on page 202) 


7.2.1. Installing the Basic translation pack 


You can download the Basic translation pack from the application or your MyCellebrite 
account. The Basic translation pack includes a version number, which enables you to track 
the version installed on the computer. 


To install the Basic Translation pack: 


1. Select Tools > Translation. The following window appears. 
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Examine data in your native language 
More than 120 language pairs available 


This service requires a new license at an additional cost 
Es 
SY) 
SMART TRANSLATOR 


120+ language pairs 


@ Arabic © Spanish 

@ Armenian @ Russian 

@ Chinese @ Japanese 
@ Portuguese @ Vietnamese 
@ Turkish 


Install from file 


For the Basic Translation pack click here 
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2. Select the click here link to access the Basic Translation pack. The following window 
appears. 


Examine data in your native language 


Limited number of languages available 


Es 


SLA 
BASIC TRANSLATION PACK 


Select 5 out of 14 languages 


@ Spanish 

@ German 

© italian 

@ French 

© Portuguese 


@ +9 additional languages 


Download 


Install from file 


For the Smart Translator pack click here 


3. Select one of the following options: 
» Download: Downloads the Basic translation pack [Internet connection required). 
» Install from file: Installs the Basic translation pack from a file, which has been 
downloaded from MyCellebrite > Add-ons. The file is called Basic translation 


pack 1.0. Select this option if there is no Internet connection, or you have previously 
downloaded the pack. An example of the download file from the MyCellebrite page is 
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displayed next. 
) Offline DB - 2 of 12 (Aug 17) 
) Offline DB - 12 of 12 [Aug 17] 
) Offline DB - 11 of 12 {Aug 17) 


) Offline DB - 10 of 12 [Aug 17] 


When the installation starts, the Setup window appears. 


r 
en Setup - Language Translation Package = 


Welcome to the Language 
Translation Package Setup 
Wizard 


This will install Language Translation Package version 1.0 on 
your computer. 


It is recommended that you close all other applications before 
continuing. 


Click Next to continue, or Cancel to exit Setup. 


3. Follow the on-screen instructions to install the Basic translation pack. 


7.2.1.1. Uninstalling the Basic translation pack 


To uninstall the Basic translation Pack, go to the Windows Uninstall page, and select the 
Language Translation Package, (Publisher: Cellebrite Mobile Synchronization) from the list. 


Uninstall or change a program 
To uninstall a program, select it from the list and then click Uninstall, Change, or Repair. 
Organize ~ Uninstall jz v @ 


A 


Name Publisher = 


a (Language Translation Package version 1.0 
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7.2.2. Selecting the languages in MyCellebrite 


You can select up to five languages for free from the My Products page in MyCellebrite. 


To select languages: 


1. Log in to MyCellebrite and select the My Products tab. The following window appears. 


v Active Products 


O G~ PC 
IZA-WDP-5UD-ZVI-K2X-62A-L72 


UFED Physical Expires on Jul 29, 2015 
Basic Languages [4] @ Expires on Jul 29, 2015 
UFED Logical Expires on Jul 29, 2015 
UFED 4PC Expires on Jul 29, 2015 
UFED Logical Analyzer Expires on Jul 29, 2015 
UFED Phone Detective Expires on Nov 2, 2015 


2. Select ™ 7” and click Select Languages. The following window appears. 


Device Languages for IZAWDP5UDZVIK2X62AL72 


Choose up to 5 languages for translating decoded data. 


Tip: If you want to translate to a language other than English you should select it 
as well. 


You cannot change a language after saving, but you don't have to choose all 5 
right now. 


Select Language + 
Select Language « 
Select Language a 
Select Language + 


Select Language + 


Need more languages? Cancel 
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3. Select up to five translation languages and click Next. The following window appears. For 
additional languages, click Need more languages and complete the form. 


Device Languages for IZAWDP5UDZVIK2X62AL72 


Selected Languages: 
Dutch 


German 


Italian 


Please note, You cannot change a language after saving. 


4. Click Save. The following window appears. 
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Device Languages for IZAWDP5UDZVIK2X62AL72 


What's next? 


1. Update the license for your product. 


2. Download the language pack. You don't need to do this if you installed it on this 
product before. 


Close 


7.3. Using the feature 


By default, the target language is set to the same language as the interface language. If 
required, you change the target language to a different language. 


To choose the target language: 


. Select Tools > Settings. The following window appears. 


Localization 
_& Interfac E English 
Translation language: English 


V| Show translation by default 


7] Premium automatic language detection 


2. Select the Translation Language. That is the target language to which you want to 
translate the text. You can only select one Translation language. To request additional 
translation languages, select Get more languages. 


3. Select the Show translation language by default check box to display translations by 
default. Clear this check box so that the translation will not appear when you translate 


text. 
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The Smart Translator automatic language detection check box is 
selected by default and automatically identifies the Smart Translator 
language to which you want to translate. To manually select the Smart 


Translator language, clear the check box in the General Settings and 
select the required translation language. 


To translate decoded data: 

1. Click to select the data that you want to translate. 

2. Right-click and select Translate selected, or click Actions > Translate commands and 
select one of the following options: 
» Translate all: Translate all entries in the specified view. 


» Translate selected: Translate the select text only. 


The translated text is indicated by an orange bar. 


If required, use the Delete translation option to delete the translated 
text. 
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To manually select the Smart Translator language: 


1. Clear the Smart Translator automatic language detection check box under the General 
Settings. 


2. Click the Translate button. The following window appears. 


Language selection 


Select the translation language for this event 


Arabic 


Change language detection settings 


Cancel Translate 


To view the original text: 


>» Right-click the text and select View source, or click the button. 
To filter text: 


» Click By ~ and then select one of the following options: 
>» All to display all text. 
» Translated to display text that has been translated. 
>» Not translated to display text that has not been translated. 


7.3.1. Reporting 


When creating reports or exporting data, you can specify whether to include the translated 
text or not. If you choose to display the translated text within the report, the summary table 
will include an additional entry called: Translated languages, with a list of the languages. The 
translated content appears below the original text under the heading: Translation. 
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To include translated text in reports, by default: 
1. Go to Tools > Settings > General Settings > Report Defaults. 
2. Select the Include translation check box. 


Default folder 
Browse 


E \jonathank\Documents\My Reports 


Output Image Format (IOS): 
HEIC (default iOS format) 


Default sorting 
Calculate SHA-2 (256 bit) hash 


Calculate MD5 (128 bit) hash 


Include translations 


To include translations in reports: 


In the report wizard, select the Include translation check box 


‘=| Examiner 


© Tags (0/0) 
Calculate SHA-2 (256 bit) hash 


Calculate MDS (128 bit) hash 
Include translations 


[E] Include known files 


To include translated text in exports: 


1. Click an Export opion (i 5 s w) 


2. Select the Include translation check box. 


File name: Report 
Save to: C:\Users\jonathank\Documents\My Reports 


Report sub directory: _iPhone .2014-07-31.14-40-41 


¥| Include translations 
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8. Cloud extractions 


Cloud extractions assists law enforcement agencies and enterprises to enhance their 
investigations by extracting and displaying information from cloud-based data sources such 
as Google Location history, iCloud backup, Facebook, Twitter, Gmail, Google Drive, Google 
Contacts, Google Search History, Dropbox, IMAP, Instagram, etc. 


Cloud extractions reduce the time required to solve cases: 


» Real-time access to an extraction of private and public user data from key cloud-based 
data sources, such as social media, web mail and cloud storage sources, etc. 


» Normalization of forensically extracted data into a common view so users can quickly 
search, filter and sort data. 


» Creation of customized reports for easy review and data sharing. 
» Data export into other analytics tools for further investigation. 


The cloud extraction capability is only available to users that have 


purchased a UFED Cloud license. 


UFED Cloud helps agencies leverage cloud data to solve cases faster. The key benefits of 
UFED Cloud include: 


» Access more than 50 applications - Extract, preserve, and analyze cloud-based content 
from over 50 applications. 


» Get data faster - Remove the dependency on service providers by using tokens or user 
credentials. 


» Retrieve data without need for the physical device - Access forensically sound data that 
no longer resides on the physical device by retrieving cloud backups. 


» Streamline workflows - UFED Cloud is integrated with Physical Analyzer for a seamless 
review process. 


» View digital activity and locations - Get data about users’ digital activity and locations 
from Facebook, iCloud, and Google across multiple devices. 


8.1. Extracting private cloud account data 


UFED Cloud supports the extraction of cloud accounts from selected apps [data sources]. 
The extraction wizard leads you through the five steps of the cloud extraction process: 


1. Case details - adding the case details to a new or existing case including: 
» Person details 
» Examiner details 
» Legal authorization/search warrant document upload option 


>» Media classification selection 
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» Time zone settings 
» Option to create a UFDR report automatically after extraction. 
» Option to select location to save report and account package. 


2. Data sources - selecting the data sources that are required for the extraction. It’s also 
possible to import an account package at this stage. 


3. Validation - validating of credentials/tokens including multi- factor authentication to 
access the data sources. 


» In this step it is also possible to create an account package for future use. Select data 
source credentials to include in the account package. The authentication state will also 
be saved. 


4. Extraction settings - setting the date range, data categories, etc that are required. 
5. Summary - summary of this cloud extraction. 
Opening the cloud extraction wizard 


1. In the menu, click Cloud > Extraction > Private cloud data. 


The extraction wizard appears. 


8.1.1. Adding case details 


The person is the subject of the investigation and referred to as the Owner of the data. 
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@ UFED Cloud extractor 


Q joe Smith 


@ case details 
Data sources 
Validation 


Extraction settings 


O summary 


Case details 


You can create a new case or add cloud data to an existing case 


First name * 
joe x 
Last name* 


Case Lymber 


Time zone 


(UTC+02:00) Jerusalem (Asia) 4 


Use daylight saving time 


C Original extracted value 


tionality and enable you 
je a UFDR file at the end 


cess. 


er 
Report and account package will be saved here 


\\ptnast\Home_Dirs\Cookies\Documents a 


4 


In the case details screen, enter the case details including person and examiner 
information. 


2. Add a picture of the person. 


3. Upload legal authorization document if required. 


4. Select time zone. 


Time zone 


(UTC+01:00) Zurich (Europe) 
Use daylight saving time 


(_] Original extracted value 


> 


a. Next to the displayed time zone, click 


b. Select the required time zone from the drop down list. 


c. Set the time zone settings 


» Use daylight saving time: Select or unselect check box to enable or disable daylight 
saving time. 


» Original extracted value: Shows the time stamps as recorded in the data source. 


creating a new person or post extraction. 


Sy An extraction’s time zone can be set at any point, either when 


5. Optionally select to run Media classification engine on the extraction. For more 
information on this capability, see Media classification [on page 344). 
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6. Select option to create UFDR report automatically after extraction. 


To use the save session functionality and enable you to save data 


such as tags, this option creates a UFDR file at the end of the cloud 
extraction process. 


7. Optionally select to include original zip files container. 


If this option is selected, all files will be stored in a zip file when 
generating a UFDR. 


The zip file is saved in the same location of the UFDR. This zip file is 
hashed to make sure it was not tampered with. The hash (SHA1] is 
included in the extraction summary under the Cloud tab. 


Large files will not be included in the zip file. 


8. Use default or select new path to save report and account package. 
9. Click Next to select data sources for extraction. 


8.1.2. Selecting data sources 


In the Data sources screen, you can select data sources for extraction with the following 
methods: 


» Select data sources manually - Select data sources from the list and enter credentials 
manually. Use the search bar to search for required data sources. 


» Import an account package - A *.ucae or .ucaepc file exported from Physical Analyzer. It 
contains saved account tokens, cookies or user credentials which can be used to 
authenticate accounts in Physical Analyzer with minimal traces. 


It is also possible to import an account package that was created from a previous UFED 
Cloud extraction. 


When using an account package, there are two methods based on where your UFED Cloud is 
installed: 


» UFED Cloud is installed on a separate machine: 


» The first step is to export an account package from Physical Analyzer or from another 
extraction tool, such as the Cloud Login Collector. 


» The next step is to import the account package into UFED Cloud. UFED Cloud will then 
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display the available accounts and the user can then select which accounts to 
authenticate. 


» UFED Cloud is installed on same machine as Physical Analyzer: 
» The cloud extraction is executed and displayed in Physical Analyzer without the need 
for an import. 


@ UFED Cloud extractor - o x 
rae Data sources 
Access cloud data sources with extracted tokens or manually enter credentials 
Select data sources for extraction: a 


@ Case details 


t 


Google Drive 
Drive service 
1 profile 


@ Data sources 


) Validation < ; Q 
Amazon Echo Box Dropbox Facebook 
J extraction ei History and statist. Storage Social network Pherae A 
O summary ii 31 
fit 
FitBit Google Backup Google Calendar Google Chrome Google Contacts Google Hangouts 
Health service Backup Calendar event ‘Syne Contacts service Instant Messaging 
Browser Dat 
f=) d 
a] C - 


1. Select data sources for extraction: 
a. Manually select data sources. 
i. Click on the data sources that are required. 
ii. Enter credentials. 
ili. Click + Another profile button to add another account related to this extraction if 
required. 
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iv. To use the same credentials for multiple apps select the check box. 


x 


Q GoogleHangouts 


Enter user's credentials: 


User name * 


Password * 


[C] Use those credentials for all Google accounts 


| + Another profile 


Selected data sources appear at the top of the screen. Click © to 
unselect a data source. 
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b. Import an Account package. 
i. Click on the Import account package button. 
ii. The following window appears the first time an account package is used. 


This window provides an Indication that an account package 
includes the use of cloud login keys from a mobile device and 


must include proper legal authority under your jurisdiction. Enter 
your full name, and click | approve. 


iil. Select the Account package file. 

iv. Click Open. 

The account package opens In a new tab. 
vi. Select data sources from account package. 
2. Click Next. The validation screen appears. 


8.1.3. Validating cloud account credentials/tokens 


The validation screen displays a table with selected data sources, user account, password, 
and validation result (valid/error/QR scanning required). 
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@ UFED Cloud extractor - o x 


Q joe Smith Validated 6/9 
GESSA é Validation [ incude in accour 
n Alexa 


Q Case details 


int package @ 


cloudio 


Data sources 


eor rrhh oo 
e 


@ validation 


Extraction settings 


Possible statuses include: 


» Q Vaid _ the authentication (validation) was successful. 


" _ the authentication was unsuccessful. Hover over error to view details. 


» R scanning required _ 11 the case the WhatsApp Web data source was selected in the 


previous step. For more information, see Accessing WhatsApp Web data (on page 365). 


For data sources that received an error status due to Incorrect 


credentials, click / to reenter the credentials. 


To delete a data source from the extraction, click 


Some sources, will require additional validation steps: 


» If multi-factor authentication or CAPTCHA is required, see Multi-factor authentication and 


CAPTCHA [on page 220). 
» If multiple Google accounts are recognized from a PC token, see Choosing from multiple 


Google accounts [on page 224). 
>» If WhatsApp Web was selected, click OR scanning required and scan the QR code to 
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validate. 


1 of 1 QR scan required 


w) WhatsApp Web 


How to scan: 


1. On mobile device, open WhatsApp application. 
2. Go to WhatsApp settings and tap "WhatsApp Web’. 


3. If the device is already logged into other devices, tap “Log out from all 
devices”. 


4. Once camera screen opens within WhatsApp, scan the QR code above. 


Cancel I scanned the QR 


To look up a list of active accounts and their credentials, use the 
Password collector. The Password collector can help you overcome 


expired tokens or gain access to apps which are not directly supported by 
UFED Cloud. See Password collector (on page 223). 


Notes 


» Instagram uses the username instead of an email address. 
» Telegram uses the phone number instead of the username. 


» Google Takeout and iCloud Backup have a slightly different workflow, see their advanced 
options. 


Chapter 8: 216 


1. To create an Account package, select the data source credentials to include in the 
account package. 


iCloud backup, WhatsApp web, Password collector are not supported in 


account package creation. 


(@ FED Cloud extractor - o x 
O Joe Smith Validated 6/9 
Data source User acount Password Validation 
cosa detalles Ọ Amazon Alexa cloudio brite © vsio 
E discos clouio @ vai 
| = ED Facebook 2 data sources a 
| 
@ Data sources | Ej Facebook a 
| a 
Cloudio Brite @ vaiad 
© validation 
BB Googie Calendar Goudo Bite ° 


© Extraction settings 


O summary 


Cancel 


2. Click Next. The Extraction settings screen appears. 


8.1.4. Managing cloud extraction settings 


@ Cellebrite cloud extractor = o x 


Extraction settings 
Cloud Demo Define the extraction settings for each data source 


3 Dropbox 
Cloudio Brite £ 
Case details 3 Dropbox settings 
p e 
Donald ump 


Select date range: 
Facebook Messenger 


Donald ump Fimi lot 
Data sources 


p small 
loudio.briteggmall.com 


| 9 | Google Location History 


Cloudio Brite 


90 9 1 2 3 4 2% 27 28 2 w 1 2 
Validation 
Instagram 5 6 7 @ 9 10 2 9 5 & 7 8 9 
Donald Jum 

a 12 13 4 15 16 17 18 Bo ennui w 
19 20 2 22 2 4 5 7 18 19 20 2 2 2B 
; 2% 7 2 2 0 1 2 24 a35 25 27 28 2 W 

È cancion artin 

4.5 6 7 8 9 Med ee Wes 

1104/2020 [$] 10705/2020 [E] 


Summary Apply 


C Use forall data sources 


[E mages a) [me videos a] (Eh ries a| 
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1. Select a date range for each data source. 


To select the same range for all data sources check Use for all data 


sources. 


2. Select or unselect the required data categories. 


3. Select the required Advanced settings. See Advanced options [on page 226). 


Advanced Edit 


Extract messages: 


@ Entire message 
Messages without attachments 


Only headers 


Unread messages 


Include unread messages 


4. Click Next. The Summary screen appears. 


8.1.5. Viewing the summary before extraction 


The summary screen displays all details and settings of the extraction. 


@ celebrite cloud extractor = Oo am 


Cloud Demo Summary 
Review the list of data sources and start your extraction 


Case details exit 


Case details 
Case number: 
Legal authorization: No documents loaded 
Examiner name: 
Examiner Id: 123 

Data sources Time zone: (UTC+01:00) Zurich (Europe) 
Cena repart False 
Report path: Mpinast\Home_Dirs\yaronA Documents 

Validation 
yz Dropbox Ed Facebook @ messenger 
Date range Date range Date range 

ECO UNE 11/04/2020 - 10/05/2020 11/04/2020 - 10/05/2020 11/04/2020 - 10/05/2020 
User account User account User account 
Cloudio Brite Donald Jump Donald Jump 

@ summary Categories Categories Categories 
Files, Images, Videos Contacts, Images, Videos, Messages, Contacts, Messages, Calls 
User Profile, User Activities 


Advanced Options Advanced Options 
Advanced Options iis 


Extract revisions 


5 Public events 
Last revisions: 0 
Ignore artifacts from public 
Extract Files Facebook events 


All files 


1. Click Start extraction. 
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8.1.6. Monitoring extraction progress 


It is possible to view and track the progress and status of a cloud extraction. Using the 
extraction progress screen that appears as soon as the extraction starts, you can see the 
current status of each data source as well as the progress of the entire cloud extraction. 


Possible statuses include: 


» Processing 

» Pending 

» Completed 

» Error/failed (plus the reason for failure] 
» Stopped 


i @ cloud 33) x 


Ç book Messenger 


mo 


sence 


‘extraction : Google Chrome Syne o 


tion : Google Contacts o 


UFED CLOUD maon 


Google Backup 
taap 


Private loud extraction : Google Home 


Cancel individual or all extractions if necessary by clicking Stop or Stop all: 


Once all data sources have been extracted, the Extraction summary will display a pass/fail 
indication. In case of failure, the reason for the failure will be displayed: 


8.1.7. Multi-factor authentication and CAPTCHA 


When validating data sources, it is sometimes necessary to take extra steps to access the 
data. These include multi-factor authentication and CAPTCHA. 


8.1.7.1. Multi-factor authentication 


Multi-factor authentication refers to a temporary code sent by SMS to an account's 
registered number/s. Physical Analyzer supports multi-factor authentication for most data 
sources. 


8.1.7.2. CAPTCHA 


CAPTCHA refers to a challenge question designed to screen against illicit scripts. 
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Important notes 


» Generally, this challenge is only encountered when authenticating an account using 
credentials. 


» It can generally be avoided by using tokens from an account package. 


Supported apps 


Physical Analyzer supports a CAPTCHA challenge for the following data sources: 


» Amazon Shopping 
» Amazon Alexa 


How to authenticate data sources through multi-factor authentication/CAPTCHA. 


In the Validation screen of the extraction wizard, data sources that require additional 
authentication will be indicated. 


1. To begin the authentication either: 


» Click on Defactor Authentication Required in the table row. 


» Click on the data source listed in the Two factor authentication required section below 
the validation table. 


D Celebrite cloud extractor - o x 


Q Google 2 factor Validated 0/1 
Data source User account Password 


@ Case details + G Googie asta sources o Oooooooo © IwoFactor Authentication Required ff @ 


Q GoogieHsngouts possesso © Two Factor Authentication Required Of @ 


œ 


Cancel | | Back | 


2. If this is the first time performing multi-factor authentication, the following window 
appears: 


a. Enter name. 


b. Click | Approve. 
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Feast cere Pa une cf (un matnlar Nat pons all une prope iga mer ty 
eer your pce, 


r] Bas tent 


3. The authentication window appears. 


1 of 1 Need additional authentication 
(s) GoogleHangouts 
altoken.01@gmail.com 
i 
Google 


2-Step Verification 


This extra step shows it’s really you trying to 
sign in 


© altoken.01@gmail.com v 


Try another way to sign in 


[C ū Tap Yes on your phone or tablet 


Can't find an approved device 


> use your phone or tablet to qet a security code z 


Scroll down in the inner window if necessary. 
Enter the code/CAPTCHA requirement. 
Click Next. 


If additional data sources require authentication, repeat steps 3 and 4 for each source. 


et Se Ol es 


When all sources are validated, click Ok. 
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Special cases 


The flow for 2FA is mostly standard, but some apps present special circumstances or 
requirements. 


1. Authenticate a single iCloud session at a time. Otherwise, two factor authentication will 
encounter problems. If sent simultaneously, the authentication factors sent by different iCloud 
iCloud services may conflict and cancel out one another. 
2. (Optional) Select to which device to send the verification code from a list of authorized devices 
previously defined by the account owner. 


A different sequence of steps: 
Telegram 
The app requests a phone number and then an SMS code. 


A different sequence of steps: 
Uber 
The app requests an SMS code followed by a password. 


8.1.8. Password collector 


When using an Account Package - regardless of its origin, whether extracted from 10S 
devices, Android mobile devices, Mac computers and PCs - You can look up the list of active 
accounts and their credentials in the Password collector. 


The Password collector can help you overcome expired tokens or gain access to apps which 
are not directly supported by Physical Analyzer. 


To run the password collector: 


1. Import an account package. 


Physical Analyzer will pull the list of apps and the account credentials extracted from the 
account package. 
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2. The list of available tokens will appear. Select the Password collector and proceed with 
the extraction. 


(@ LFED Cloud extractor i a = 


Demo Yaron Data sources 
s with extracted tokens or manually enter credentials 
yr extraction: 


4, Import account package | 


P Case details 
+ New data sources (0/47) CloudioMay2020 (0/26) X 
These data sources have tokens from the extracted device E select all 
@ Data sources i} 
D 
Google Google Passwords Google Photos Google Play Google Takeout Office365 
iii: asar Password Service Storage Service Google Play Backup Service Storage Service 
) validation History and statist 


E E Q © 
Office365 Office365 Telegram 
Storage Service Psar k Social network 


) Summary 


EE = Next 


No internet connection is required. This note pertains exclusively to the 


Password collector. 


8.1.9. Choosing from multiple Google accounts 


When multiple Google account credentials are saved in a PC token and imported to UFED 
Cloud in an account package, you will need to choose which account to validate and extract. 


To choose a Google account: 


1. Select the relevant Google data source and click Next. The following window appears. 


G Sign in with Google 


Choose an account 


to continue to Google OAuth 2.0 Playground 


orrans cellebrite 
lamie @gmail.com 


orran bachar 
G b@gmail.com 


(c) Claudia Domini 
Cate h f @gmail.com 


Use another account 


English (United States) ~ Help Privacy Terms 


Use this account for all Google data sources in this extraction 


2. Click Choose a Google account. The following window appears. 


Chapter 8: 224 


3. Choose the desired account and click Ok. 


If you've selected multiple Google data sources for extraction, you may 
select to use one account for all Google data sources in the extraction. 


If you've selected a Google account with two-factor authentication that 
is currently logged out, it will trigger the two-factor authentication 
process. 


8.1.10. IMAP parameters 


When adding an IMAP data source, the Server address, Server port and Security options are 
displayed for popular accounts. You can add additional accounts by entering information in 
the Email service name box and completing the other fields. You can also remove accounts 
that are not required. If you would like to add an account that does not appear in the list, 
search the Internet for the required IMAP information. An IMAP example for an AIM account 
is displayed next. 


Username : 
JohnSmith 


Pt 


Email service name : 


aim.com 


Server address : 


imap.aol.com 


Server port : 
143 

Security : 
Start Tls 
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IMAP parameters: 


» User name: Login information for IMAP and SMTP, login name [account name]. This is 
usually the same as the email address. e.g., JohnSmith{(daim.com. 


»» Password: Password to access the email account. 
» Email service name: Name of the email account. e.g., aim.com. 
>» Server address: Incoming mail server for IMAP. e.g., Aim uses imap.aol.com. 
>» Server port: TCP port for IMAP communication. e.g., the default Aim IMAP port is 143. 
» Security: Secure connection for IMAP server. e.g., Aim uses StartTls. The options are: 
» SslOnConnect: The connection should use SSL or TLS encryption immediately. 
» StartTls: Elevates the connection to use TLS encryption immediately after reading the 
greeting and capabilities of the server. 


» StartTlsWhenAvailable: Elevates the connection to use TLS encryption immediately 
after reading the greeting and capabilities of the server, but only if the server supports 
the STARTTLS extension. If you are not sure which security option to use, select the 
SslOnConnect option, which is used by most Services. 


8.1.11. Advanced options 


Advanced options help you narrow down the extraction parameters. For example, you can 
select a specific timeframe, a specific backup file, or a specific account from several linked 
accounts. 


In this section: 


8.1.11.1. Advanced options for email services 


To specify optional advanced settings for email services such as Gmail and IMAP: 


1. In the Extractions settings window, select a data source and scroll down. 


2. Next to Advanced, click Edit . The advanced options appear in the window. 


Advanced Edit 


Extract messages: 

@ Entire message 
Messages without attachments 
Only headers 


Unread messages 
Include unread messages 
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» Extract messages: The amount of content to extract from an email message. 
» Entire message: Extract all parts of the email message. This is the default option. 


» Message without attachments: Extract the email message [header and email body) 
without any attachments. 


» Only headers: Extract only the message headers [e.g., To, From, Date, Subject]. This 
option is not available when using an account package! from an Android device. 


» Include unread messages: Clear this check box if you do not want to include unread 
messages in the extraction. This can be useful if the legal authority does not cover 
messages that have not yet bean read by the suspect. 


8.1.11.2. Advanced options for Google Takeout 


Extract a subject’s devices content backup stored across Google apps. The advanced options 
allow you to choose which Google app data to display. 


The date range option is not relevant for Google Takeout extractions. 


TAn export file in .ucae format that contains user credentials, tokens or cookies, that can be 
imported and used to authenticate cloud accounts. An account package can be exported 


from Physical Analyzer, Cloud Login Collector and more. 
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To specify advanced settings for Google Takeout: 


1. In the Extractions settings window, select Google Takeout and scroll down. 
2. Next to Advanced, click Edit. The advanced options appear. 


Advanced _ ait 


Extraction Products 
Google Takeout Apps, which are not supported by a dedicated data source 


Fit 

Google+ Circles 

Hangouts 

Keep 

Profile 

YouTube 

Google Takeout Apps, which are supported only in ZIP format (not added to reports) 

Android Pay 
Bookmarks 
Google Play Books 
Google+ 
Google+ Pages 
Google+ Stream 
Groups 
Handsfree 


Hangouts on Air 


There are 2 types of Google apps available for extraction: 


» Apps that are only supported via Google Takeout [these apps are selected by default) 
» Apps that are only supported in ZIP format 


To reduce extraction time and increase effectiveness, access, Google 
apps with dedicated data sources should be extracted using the 


dedicated data source [e.g., Chrome, Drive, Photos, Mail, etc.) 


3. Select the required data sources and click Start extraction. We highly recommend 
selecting only the apps you need for your case, to minimize extraction time. 


Space limitation: Google Drive storage affects the success of Google Takeout 


extractions 


Google Takeout uses the available storage in the person's Google Drive account to transfer 
the data into UFED Cloud. The default Google Drive size is 15GB, and the amount of space 
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required can vary widely based on the amount of data collected. We therefore recommend 
focusing on the apps that will provide the most value to your investigation. 


The Takeout archive will remain saved in the person's Google Drive account. If the person's 
Google Drive is close to full, extraction options via Google Takeout in UFED Cloud are very 
limited, and may fail. In this case, the data can be downloaded manually as a ZIP file and 


imported manually into Physical Analyzer. 


8.1.11.3. Advanced options for Facebook 


To specify optional advanced settings for Facebook: 
1. In the Extractions settings window, select a data source and scroll down. 
2. Next to Advanced, click Edit . The advanced options appear in the window. 


Advanced Edit 


Public events 
Extract artifacts from public Facebook events 


Attachments 
Extract attachments 


>» Extract artifacts from public Facebook events: Extract all Facebook events including 
public events. This option is cleared by default. 

>» Extract attachments: Extract all parts of the message. This is the default option. To 
download messages (header and email body} without attachments, clear this option. 


8.1.11.4. Advanced options for statistics services 
To specify optional advanced settings for statistic services such as Google Search 


History: 
1. In the Extractions settings window, select a data source and scroll down. 
2. Next to Advanced, click Edit . The advanced options appear in the window. 


Advanced Edit 


Search for 


@® All searches 


Specific text: 
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» All searches: Extract the search history for all searches including text, voice and visited 
pages. This is the default option. 

» Specific text: Extract the search history for a particular search word or phrase 
including text, voice and visited pages. This is a simple text search with spaces 
between words. 


Google stores the list of mobile devices that were used to access the 


Google account. 


8.1.11.5. Advanced options for social media 


To specify optional advanced settings for social media such as Instagram: 


1. In the Extractions settings window, select a data source and scroll down. 
2. Next to Advanced, click Edit. The advanced options appear in the window. 
Advanced Edit 
Extract comments 
Top comments (not all comments will be downloaded) 


All comments (may take a long time) 


e a specific posts by Identifier in Data Source 


nt 


c Hh 


the Event Properties tab) 


+ Add identifier 


» Top comments: Download top comments only. This does not download all the 
comments. 

» All comments: Download all comments - may take a long time to complete, depending 
on the number of comments. 


» Select specific posts by Identifier in Data Source: Select the post to be downloaded by 
the Identifier in the Data Source!. The identifier in the data source can be determined 
from a previous extraction and is displayed in the Event Properties tab. Click Add 
identifier to add additional identifiers. 


1The source of the extracted data (e.g., Facebook, Google Takeout, Dropbox). 
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8.1.11.6. Advanced options for storage services 
To specify optional advanced settings for storage services such as Dropbox and Google 


Drive: 
1. In the Extractions settings window, select a data source and scroll down. 


2. Next to Advanced, click Edit . The advanced options appear in the window: 


v Advanced 


Extract revisions 
All revisions 
® Last revisions: 
Extract files 
All files 
® Selected files Select 4 folders: 6 files 


>» Extract revisions: The number of revisions to extract per file from Dropbox and Google 


Drive. 
» All revisions: Extract all revisions of images, videos and files. 


» Last revisions: Specify the number of revisions to extract for images, videos and files. 
The default is 0, which means no revisions are extracted. 
» Extract files: Specify folders and files to be extracted from Dropbox and Google Drive. 


» All files: Extract all the data. This is the default option. 
» Selected files: Specify the data (folders and files) that you would like to extract. 


8.1.11.7. Advanced options for Telegram 


To specify optional advanced settings for Telegram: 
1. In the Extractions settings window, select a data source and scroll down. 
2. Next to Advanced, click Edit . The advanced options appear in the window. 


Advanced Edit 


Extract Channels 
Extract Channels 
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>» Extract channels: Channels are a tool to broadcasting public messages to large 
audiences and can have an unlimited number of members. 
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8.1.12. Cloud Login Collector 


The Cloud Login Collector is a dedicated Windows tool to export access cookies from a 
Windows computer. The tool produces an account package that contains Google, Facebook, 
Facebook Messenger, Instagram, LinkedIn, and Twitter browser tokens, as well as iCloud, 
OneDrive and Telegram access tokens. You can select where the account package is saved. 
At the end of the process, you will receive a list of accounts from which the login information 
was exported. 


To export an account package: 

1. Go to MyCellebrite > Downloads and copy the PC Collector .exe file to a USB mass storage 
device. 

2. Insert the USB mass storage device into a USB port on the relevant PC. 

3. Browse to and double-click the .exe file. 


4. An account package is created as a .ucaecp file in the same folder where the .exe file is 
saved. A log file is also created. 


8.1.13. Exporting an account package from Physical Analyzer 


Export an account package to extract cloud accounts using tokens. 


This step is only necessary if UFED Cloud is installed a separate machine 


than Physical Analyzer. 


To export an account package: 


1. Open an extraction in Physical Analyzer. 


2. Select Tools > Export account package. 


@& Export account package Ctrl+E 


%$ Watch List Editor 


% Run Watch Lists On Active Project + 
Ø Malware Scanner > 
Translation 


The Save As window appears. 


3. Click Save to save the Export file (*.ucae] file. The following window appears. 
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User accounts extraction summary 


Data source Account name 


Kik profrobert1962@ gmail.com 

Gmail profrobbert1962@ gmail.com 

GoogleLocationHistory profrobbert1962@ gmail.com 

GoogleDrive profrobbert1962@ gmail.com 

Facebook CAAAAAYsX7TsBALN7m59mXahwPSfPDDF4sX6HSITcClhz2jpBceKudZ... 


Save 


4. Click Save to save a text file summary of the extracted user accounts, or click Close to 
complete the process. [The summary may be useful when preparing search warrants, or 
to share with other investigators.) 


Multiple entries for the same data source may relate to different 
accounts that were used on the device, or to previous login information 


for the same account. 


8.2. Extracting public cloud account data 


View the public activity of a social media profile anonymously. To do this, you will use an 
avatar!, that is a Facebook, Instagram, or Twitter “fake” account specifically created for this 
purpose. 


The avatar profile should never be a “real” profile as it is at risk of being blocked by the 
Service provider for suspicious activity. 


UFED Cloud will extract activity that is visible to the avatar. Therefore the data available for 
extraction is dependent on the relationship between the profiles. For example, a friend of a 
friend may be able to extract more data than a stranger. 


1A social media profile that you can use to extract public data. Note: Avatars are public 


profiles, and as such, are exposed to public review. 
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To extract a public data source: 


1. Inthe menu, click Cloud > Extraction > Public cloud data. 


EE] Welcome x Ot 


Welcome to Cellebrite Physical Analyzer 


2. Ifyou haven't created an avatar, the following screen appears: 


Public data x 
» 
e n 0O 
"i \ z 
C an >) 
@ 


To extract a person's public data, 
create or activate an avatar 


If you have already created at least one avatar, you can skip this step. 


3. Click Create avatar. 
4. Click New avatar. 
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Manage avatars x 
Manage public domain avatars © 
+ New avatar 
User account Password Last validated Data source Active 
Close 


Select the avatar account data source. 

Enter the Email/username of avatar account. 
Enter password. 

Click Validate. 

Once validated, click Add. 


Oo CON CO gi 


Manage avatars x 


New avatar 


Data source* 


Facebook 


Email/username* 


Validate © Avatar validated successfully 


Note: Profiles requiring two-factor authentication won't work properly as avatars. 


Cancel Add 


10. In the Public Cloud extractor window, select the data source. 


11. Select the search by option (User ID, Username, Phone, or Email). 
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Usernames and User IDs are part of a person's public profile. A 
Username is the web address to a person's profile or page, for 


example ‘facebook.com/username’. A User ID is a string of numbers 
that is connected to a data source profile. 


12. Enter the identifier for the Search by option. 
13. Click the arrow button. 


public data 


Public Cloud extractor 


Select a public profile to find more data: 
Data source* 


Ej Facebook © Last validated 10/19/2020 2:23:06 PM Manage avatars 


Search by* 


Identifier * 


Cancel 


14. The system will suggest a person. 
15. Click Next. 


public data 


Public Cloud extractor 


Select a public profile to find more data: 


Data source* 
Is this the person you were 


fi Facebook © Last validated 10/19/2020 2:23:06 PM 2 
Manage avatars looking for? 


Search by* 


Username 


Identifier * 


16. A summary of the person's public data appears. 
17. Click Extract public data to execute the extraction. 
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@ public data x 


All | Facebook @ | Instagram @ | Twitter O 


Profile pictures 


User name Facebook 
Account name Facebook 
Gender Facebook 
Account ID Facebook 
Education 
Current city Facebook 
Language Facebook 
Family Facebook 
Facebook 


Close Extract public data 


For further information on creating and managing avatars, see Creating a 


ublic domain avatar (on page 305). 
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8.3. Supported content 


Following is a list of data sources (and apps) supported by UFED Cloud and the types of 
content that can be extracted for each. About content categories 


User Back 
Data source Messages | Images | Videos | Files | Contacts | Calls | Locations 
ere activity 


Android 
Backup! 


Amazon Alexa y - = = yv 2 = J 
Box - v y yv = = x £ 


Coinbase - - - - - - - 


= 


Discord v 
DJI Go 4 - 


Dropbox = 


eE 
c | 


Facebook 


Facebook 
Messenger 


E ailing 


Fitbit 


Generic email 
(IMAP) 


Gmail 


Google 
Backup 


a | 


Google 
Calendar 


Google 
Chrome Sync 7 i j 2 7 7 v 


L ES ee 


1This data source is only available if you have Virtual analyzer installed on the same 


machine. 


2This includes nearly all data and settings stored on the device i.e., text messages, call logs, 


application information, and device settings. 
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i i User User 
Data source Messages | Images | Videos | Files | Con Calls | Locations : on 
profile | activity 


tacts 
Google 
Contacts 7 7 7 J Vv k 7 j z j 


Google Drive = v v yv z Z 2 z = 5 


Google 


Hangouts v 7 ~ 5 v v - 2 z B 


Google Home = = - - 5 = = = J F 


Google Keep = - - = z = = = v a 


Google 
Location - - - = z z v 2 £ 2 
History 


Google My 
Activity 


Google 
Passwords 


e a 


Google Play = - = = = z = 


Google 


Photos 7 v vV a = = - = J 2 


Google 
Takeout v 


Google Tasks = - - = = z = = JV = 


iCloud 
Backup vi 


iCloud (Real- 


Time - - = = = = vV v = = 


Location) 


iCloud Data = v v - v = = = JV = 


iCloud Drive = v v yv z = > E a 2 
Instagram V2 - - = yv = = = z = 


1This includes nearly all data and settings stored on the device i.e., text messages, call logs, 


application information, and device settings. 


2Images/videos 
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iTunes 
Purchases 


i i User User Back 
Data source Messages | Images | Videos | Files | Contacts | Calls | Locations : S 
profile | activity | ups 


Line 


(Google/iClou v Vl V2 v V 


d) 


LinkedIn v -= A z yv £ x 
Lyft = = = = 2 z = 


Magenta 


J 
7 

T EERE JE E E lla eae oe ae 
v 
v 
v 


Microsoft 


Office 365 v v v 7 ~ 


Microsoft 
Outlook 365 


OkCupid v z = = v a a 
One Drive - v v y = - = = = = 


Password 
collector 


Samsung 
Backup 


Skype 


Slack 


So | 
Ee | eE 


Snapchat 
Telegram 


TikTok 


AE T fe e Bo 
= 
= 

ee ee e a 


Twitter 


Uber - - = = z z = J JV 5 


1i0S only. 
2\0S only. 
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l i User User Back 
Data source Messages | Images | Videos | Files | Contacts | Calls | Locations : ee 
profile | activity | ups 


Viber 


vk DEE EJERE ae 


WhatsApp 


i vivivi[v] vy 

WhatsApp 

e | v |v ivi[vi viv- f-]- f- 
(credentials)! 


1When authenticating WhatsApp backup from iCloud using only credentials, only attachments 
are extracted. Text messages will not be extracted. In order to get messages, contacts, and 
calls, you will need to upload an account package from a device that had the same WhatsApp 
account installed. For WhatsApp backup from Google Drive, no account package is needed 
for the extraction. The authentication process will disconnect active WhatsApp session on the 


device. 
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8.3.1. Supported apps by extraction method 


meena |e ncaa 


Data Source | System peo nae Physical 
(Premium) Extraction 


Username 


System (Using 
UFED4PC) 


& Password 


Amazon 


Alexa/Echo v V 


Android backup 


Box v 


CoinBase V 


Discord 


< 
< 


DJI GO 4 v 


= 


Dropbox 
Facebook v 


Facebook 
Messenger 


FitBit 
Gmail 
Google Calendar 


Google Chrome 
Sync 


Google Contact 
Google Drive 
Google Hangouts 
Google Home 
Google Keep 


Google location 


E a E E TE E E E E E E E 
EEE | al | E E E Se E E E EEE | ee 


eE E ed TE ee |) eel) 
EE a ee ee | E 


history 
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eera [Meee ne aaae 


Data Source system pene fee Physical S A 
(Premium) UFED4PC} Extraction 

Google MyActivity | / | ap v 
Google Photos 4/ 7 7 v 
Google Play ~ v v V 
Google Takeout / 7 V v 
iCloud Backup ~ 
iCloud Web ` 
pstagram y v v Ww 
A v v Vv v 
Linkedin v v v v J 
Lyf v v v v 
Magenta y ay 
Office365 J ~ 
Office Outlook ~ v 
OkCupid ~ d v 
OneDrive “i y y T J 
Ta v 
Skype v v v 
Slack v v v v 
Snapchat V 

Telegram y “/ 
TikTok ~ a y "i 
Twitter v v v v 
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Silat [Meee linea aae 


i i Username 
Data Source | System TR EN Physical E ; 
A z asswor 
(Premium) UFED4PC} Extraction 
Uber v v 
Vkontakte v v v v 
WhatsApp Web v 
iCloud WhatsApp 
backup v 
Google WhatsApp 
Backup v v v 
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8.3.2. Cloud Login Collector: Supported tokens & OS 


When using the Cloud Login Collector to extract an account package, the data available for 
extraction depends on the computer's operating system and browsers. 


The table below lists which apps and desktop apps are supported and under what conditions. 
See also SupportedExtractionMethods.htm. 


Operating Supported Supported desktop 
Supported data sources 
system browsers apps 
Chrome box 
Windows 7 Internet Facebook 
Explorer 2 
Facebook Messenger 
Firefox 
Google data sources3 
| cee nstagram 
Windows 10 A iCloud Backup Linkedin 
Firefox 
OneDrive! OkCupid 
Skype? Twitter 
Safari _ 
MacOS Sierra elegram 
Chrome 
10.13 VK 
Firefox 


|For Windows 10, OneDrive file system integration in Windows OS is supported, but Microsoft 
Store OneDrive application is not supported. 

2Skype for Business is currently not supported. 

3The following Google data sources are currently not supported: Chrome, Hangouts, 


Passwords and Takeout 
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8.3.3. Content categories 


» Messages: Communication generated by a user. A message may include text, image, 
video, files, location information, and tagging data. 


» Images: Images uploaded by the user that are not attached to message. An image may 
contain additional properties such as “created at location”. 


» Videos: Videos uploaded by the user that are not attached to message. A video may 
contain additional properties such as “created at location”. 


» Files: Image or video files uploaded by the user that are not attached to a message. 
» Contacts: Other people that the subject is in contact with. 

» Calls: Phone call logs between parties. 

» Location: Standalone location information not attached to a message, image or video. 


» User profile: Information about the user such as frequently used devices, bio and home 
town. 

» User activity: Activities performed by the user. The type of activity will depend on the 
application, and may include web searches, web pages navigation, voice commands, 
calendars, reminders, notes, travel information and history of online purchases. 


» Backups: Content or device backups stored in the cloud. 


UFED Cloud also extracts embedded data artifacts. Examples include 
email message attachments and the location at the time a Facebook post 
was made. 


Location information is often secondary to the main content category. For 
example, a journey of a drone on DJI 4 Go or of an Uber passenger will be 
found under user activity, rather than location. 
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8.4. Troubleshooting 


8.4.1. Restarting the UFED Cloud Communication Manager Service 


The UFED Cloud Communication Manager service is a computer process that runs in the 
background and provides communication support to the UFED Cloud application. If a service 
is not available, a message is displayed while using UFED Cloud. You will need to exit the 
application, restart the service manually and then start the application again. 


You must be logged in as an administrator to start or disable services. 


Procedure 


1. Open the Start Menu, type services in the search box, and then click Services lor View 
local services for Windows 10). The following window is displayed. 


File Action View Help 
¢9/@ cslbm)>>anw 
Gi Services (Local) 


Select an item to view its description. | Description Startup Type Log On As 
Či Absolute Software Agent Service Absolute Softwar... Automatic Local System 
© ActiveX Installer (AxdnstSV) Provides User Ac... Manual Local System 
Či, Adaptive Brightness Monitors ambien... Manual Local Service 
Üi Adobe Acrobat Update Service Adobe Acrobat U.. Started Automatic Local System 
Či Adobe Flash Player Update Service This service keep... Manual Local System 
Ü} Apple Mobile Device Service Provides the inter... Started Automatic Local System 
Či Application Experience Processes applica... Started Manual Local System 
© Application Identity Determines and v... Manual Local Service 
© Application Information Facilitates the run... Started Manual Local System 
Č} Application Layer Gateway Service Provides support... Manual Local Service 
Či Application Management Processes installa... Manual Local System 
Č} ASP.NET State Service Provides support... Disabled Network Service 
Či Audio Service Manages audio ja... Started Automatic Local System 
Č} Background Intelligent Transfer Service Transfersfiles int... Started Automatic (D... Local System 
Či Base Filtering Engine The Base Filtering... Started Automatic Local Service 


Extended { Standard / 


2. Select the UFED Cloud Communication Manager service. 
3. Right-click the service and click Start. 


File Action View Help 
@e9\Mlees\am|> s n p 


Z} Services (Local) 


UFED Cloud Communications Name Description Status Startup Type Log On As 
— © UFED Analytics Elasticsearch(UFED-elasticsearc... Elasticsearch 1.5... Started Automatic Local System 


3 UFED Cloud Communications Manager Automatic Local System 


Start the service Start 


Č} UFED Cloud Monitoring Service E Automatic Local System 
Ü} UFED Link Analysis Watchdog Sar Automatic Local System 
Č} UPnP Device Host Pause Manual Local Service 
Č} User Profile Service if Resume Automatic Local System 
3, Validity VCS Fingerprint Service Restart Automatic Local System 
Č} Virtual Disk Manual Local System 
Üi Visual Studio ETW Event Collection Service All Tasks Manual Local System 
Č Volume Shadow Copy ne Manual Local System 
i, WebClient Manual Local Service 
&% Windows Activation Technologies Service Properties Manual Local System 
& Windows Audio a Automatic Local Service 
3 Windows Audio Endpoint Builder Automatic Local System 


«f 


Extended Standard / 


Start service UFED Cloud Communications Manager on Local Computer 


4. Restart UFED Cloud. 
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8.0.1. Known issues and limitations 


Area 


General 


General 


General 


General 


Snapchat 


Instagram 


Facebook 


Detected 
in version 


Description 


The timestamps for Event Logs are only correct according to the date (day) the 


event occurred. The time displayed is not relevant. 


In some instances, the data source do not present the same number of items 


due to an external issue with the data source itself. 


Cloud data extractions are limited to a maximum number of artifacts per 
type. (If required, the maximums can be changed - contact Cellebrite 


Support). 


Repeating a cloud data extraction that was limited to less than the total 


existing artifacts may extract different artifacts the next time. 


1. Only “missed calls” are extracted. 


2. Only current stories can be extracted. Every story is available for only 24 
hours. After that, stories expire and they cannot be viewed and cannot be 19 
extracted. Third-party limitation. 


3. Messages disappear after they are viewed. 


1. Stories are only supported if they have been shared with the extracted 
account and have not disappeared from the app. 


2. Disappearing photos and videos (those marked by a bomb icon) can be 
extracted as long as they appear in the app. ug. 


Once they have disappeared from the app, they are no longer available for 
extraction - only their meta-data is extracted, for example, that 
user/participant sent a video/image and the timestamp. 


Account activity in Facebook is returned from the service with only a date but 
without a time stamp. 


UFED Cloud substitutes the missing time stamp with a general filler “00:00” 


to indicate that the time is unknown. 78 


If the user changes the time zone, the time zone change will also take effect 
on the general filler “00:00” and can change the date accordingly. (For 
example, the activity listed as 10/06/19 00:00 in a +3 time zone will appear as: 
09/06/19 23:00 in a +2 time zone). 
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Area 


iCloud Web, 
iCloud WhatsApp 
- Incorrect 


credentials 


Samsung 


Backup 


Google Home 


Google Keep 


Lyft 


Lyft 


PC login 


collector 


Data source: 


Skype 


PC login 


collector 
Extractions 
PC login 


collector 


Data Source: VK 


Chapter 8: 


Description 


If the wrong 2FA code is attempted multiple times in a short time span, iCloud 
will stop sending the verification SMS. After 4-5 failed attempts, wait 10-15 


minutes before making another attempt. 


1. Only the last 1000 calls/SMS are extracted. Third-party limitation. 


2. Highly variable data is extracted. Differs greatly by Samsung model and OS 
version. For example: 


a. Samsung s7 edge Backup includes calendar and contacts but 
Samsung A7 does not. 


3. In some models, contacts are extracted only if they were saved to the SIM 
card. 


4. In some models, UFDR report does not contain Profile details that contain 
user profile and WIFI passwords. 


Audio files are not returned. Third-party limitation. 
Attached locations are not returned from the server. Third-party limitation. 


The map view does not show the ride. This is caused by a third-party limitation 
as the server does not return coordinates for the pickup and drop-off points. 


Workaround - addresses are shown. 


Canceled rides are automatically deleted after some unspecified time period. 
Third-party limitation. 


Google Hangouts is not supported. 


Records of video calls are not extracted. 


MAC Twitter tokens are not supported. 


Extractions using cookies extract less data than mobile device tokens. 


Internet Explorer 11 is not supported on Windows 10. 


When an image has been modified, the date and time of modification is not 


available. 


Detected 
in version 


7.8 


7.8 


deh 


NA 


7.7 


ail 


fas 


iiss) 


a) 


7.0 


7.0 


6.3 
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Area 


Data Source: 


LinkedIn 


Data Source: 


Google Takeout 


Data Source: 
Google Keep lvia 
Google Takeout} 


Data Source: 


Box 


Proxy 


PC Token 


Extractor 


Data Source: 
WhatsApp 
(Google Drive) 


Data Source: 
WhatsApp 
(Google Drive) 


Data Source: 
WhatsApp 
backup (iCloud) 


Data Source: 
Google 2-factor 


authentication 


Data Source: 


Telegram 


Data Source: 


Facebook 


Description 


UFED Cloud calculates the image hash values from LinkedIn’s server. Users 


see an optimized version of the image which may have a different hash value. 


When the Google account's primary language is not English, the Takeout 


extraction may appear incomplete. 


Drawings contained in Notes are displayed under Images, are not linked to the 


original note. 


Tiff files extracted from Box may appear corrupted when opened in Windows 


viewer. 


UFED Cloud extraction methods may be blocked via proxy. Cellebrite 


recommends working without a proxy. 


Limited to tokens from Google Chrome browser. 


xxx.mov video file extention is displayed as xxx.mp4. 


Restored data contact info is displayed as attached files. 


User account packages are not supported. Recovery is limited to media files & 


attachments; chats are not extracted. 


iOS account packages including Google 2-factor authentication are not 


supported. 


Account packages are not extracted from iPhone. 


When selecting to exclude attachments not all chat messages are extracted. 


Detected 


in version 


6.2 


6.2 


6.2 


6.2 


6.2 


6.1 


6.1 


6.1 


6.1 


6.1 


6.0 


6.0 
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Area 


Data Source: 
Cloud Login 


Collector 


Data Source: 


Google Chrome 


Sync 


Data Source: 
Google Drive 


Data Source: 
Twitter 


Data Source: 
WhatsApp 
Backup 


Data Source: 
WhatsApp 
Backup 


Data Source: 
iCloud Drive 


Data Source: 
One Drive 


Data Source: 
iCloud 


Data Source: 
iCloud 


Data Source: 
Google Search 
History 


Data Source: 
Google Search 
History 


Data Source: VK 
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Data Source: VK 


Description 


When using the Cloud Login Collector to collect tokens from iOS 8x and 
below, the token may expire after a short time. 


Google passwords are not extracted when a Chrome passphrase is defined 
(will be available via Google Chrome]. 


The following file types are not extracted: map, presentation, drawing, 
spreadsheet, document, form and crypt8. 


Posted videos with privacy not set to “All Users” are not extracted. 


Cannot import pending follower users that were suspended by Twitter. 


The duration of the selected video is not displayed. 


For group discussions, some system messages such as group name change, 
group icon change, new party joined may not be displayed. 


Incorrect file path with right-to-left languages. 


The modified time displayed may not be correct. It displays the time modified 
on the server, while the OneDrive UI displays the time modified on the client. 


Occasionally an extraction is completed with errors, because it could not 
download devices and locations. To resolve this issue try performing the 
extraction again. 


Extraction from iCloud email via IMAP is case sensitive. The user name must 
be entered correctly. 


The user profile information is not extracted via credentials or account 
package. 


Voice searches appear as visited pages instead of search requests. 


Audio files that were uploaded or attached from the user's PC cannot be 
extracted. 


Detected 


in version 


6.0 


6.0 


52 


52 


52 


52 


5.2 


5.1 


o 


Sl 


5.1 


5.1 


5.0 
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Area 


Da 
Go 


= 


a 


Da 


Da 


Da 


Da 


Da 


Da 


Da 


Da 


Da 


Da 


Da 


Da 


a Source: VK 


a Source: VK 


a Source: 
ogle Contacts 


a Source: 


Facebook 


a Source: 


Facebook 


a Source: 


Facebook 


a Source: 


Facebook 


a Source: 


Facebook 


a Source: 


Facebook 


a Source: 


Facebook 


ta Source: 


Facebook 


ta Source: 


Facebook 


ta Source: 


Facebook 


a Source: 


Facebook 


a Source: 


Facebook 


a Source: 


Facebook 


Detected 
in version 


Description 


VK does not generate a unique ID for the post and comments, and therefore it 
is not displayed. 


Comments on images and videos uploaded by the subject on their wall, appear 
twice. 


Contacts with only aname, without additional data such as phone number, 
address or emailare not extracted. 


The number of extracted participants for a Facebook event is limited to 6,000. 


The “Likes” for some user post images uploaded to an album are not 
displayed. 


Posts that were merged by the Facebook server are not extracted. 


People that liked edited comments are not displayed on the right pane. 


People that liked friend's comments on a user's post are not displayed on the 
right pane. 


A post may contain duplicate posts. This is due to an issue in Facebook that 
miscorrelates comments of one post with another post. 


Facebook comments on posts of a new image uploaded to an album with 
“friends only” permission are not extracted. 


Details of a Facebook event in which the subject is participating, will only be 
extracted if content [e.g., posts, images, videos) was generated during the 
selected time frame of the extraction. 


Facebook posts in which the subject is tagged lor tagged in and shared with 
friends only) are not extracted. 


Facebook posts that contain location and attachments (photos, videos, etc.] 
are displayed in the Timeline View without the attachments. The attachments 
are displayed as uploaded content in the Files view without the ability to 
correlate them with the post. 


Attachments to Facebook comments are not extracted. 


Deactivated Facebook accounts are not extracted as contacts, although they 
may appear in the subject’s contacts list in Facebook. 


“Feeling/Activity” information attached to a Facebook post is not extracted. 
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Area 
Data Source: 
Facebook 


Data Source: 
Facebook 


Data Source: 
Facebook 


Data Source: 
Facebook 


ata Source: 


1g | lee) 


acebook 


ata Source: 


T 


acebook 


ata Source: 


T G 


acebook 


Facebook 


Data Source: 
Facebook 


Data Source: 
Facebook 


Data Source: 


Facebook 


Data Source: 
Gmail 


Data Source: 
Gmail 
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Data Sources: 


Detected 
in version 


Description 


Photos added to the subject's Facebook album by external parties are not 
extracted. 


The Facebook video duration property is not extracted. 


Emotion icons in Facebook chat messages are not displayed. 


Facebook posts that the subject hides from his/her timeline are not extracted. 


Facebook locations added by the suspect may not be extracted if the specified 
location is not known by Facebook. 


Facebook photos attached to posts are displayed without width and height 
properties. 


Facebook chat message categories such as Other, which are filtered from the 
nbox, are not extracted. 


Facebook “Say Thanks” videos are not extracted. 


While extracting data from Facebook, the following error messages may be 
isplayed: 


gol 


The remote server returned an error: (404) Not Found.” 
“The remote server returned an error: (500) Internal Server Error.” 


“The remote server returned an error: (400) Bad Request.” 

“A connection attempt failed because the connected party did not properly 
respond after a period of time, or established connection failed because 
connected host has failed to respond.” 


This may cause some of the information not to be extracted. To resolve these 
errors run the extraction again. 


Only a partial list of the posts may be extracted due to a known issue in the 


Facebook interface: https://developers.facebook.com/bugs/5907 
65867735109/ 


Event log does not show all text (log title]. 


Extraction of locations from attached images in Gmail is not supported. 


Replied or forwarded email messages that are extracted using an account 
package from an Android device do not have reference to the original email 
messages. 


254 


Area 
Data Source: 
Gmail 


Data Source: 
Gmail 


Data Source: 
Gmail 


Data Source: 
Google Drive 


Data Source: 
Google Drive 


Data source: 


Google Location 
History 


Data source: 
Google Location 
History 


Data Source: 
Twitter 


Data Source: 
Twitter 


Data Source: 
Dropbox 


Data Source: 
Dropbox 


Discord 


Discord 


Android backup 


Detected 
in version 


Description 


When using login information from an Android device the CC and BCC 
recipients are not extracted. 


Text formatting such as bold or underline is not displayed in email 
correspondence. 


Attachments from external sources [e.g., links to a file in Google Drive] are 
not displayed. 


Google Docs files created in Google Drive are extracted with a size of zero, 
even though the file contains data. Data can still be displayed. 


Google map files stored on Google Drive are not downloaded. There is an 
indication that the map exists. 


Google Location History is not supported for iPhone 4 regardless of the device 
extraction method. 


During the first few days that data is collected, the number of locations 
presented may change. 


While extracting data from Twitter, the following error may be displayed: “The 
remote server returned an error: (404) Not Found.” 


This may cause some of the information not to be extracted. To resolve this 
error run the extraction again. 


Twitter extractions are limited to 800 tweets from the home timeline (which 
contains the user's tweets and the users he/she follows] and 3,200 tweets 
from the user's timeline (which contains tweets of the user). 


Videos uploaded to Dropbox via iPhone are displayed with a duration property 
of zero. 


For right-to-left languages, the file name and directory displayed in the right 
pane are reversed. 


There is no accurate indication of how many Participants there are in a 
channel chat. It will always display '2', the extracted account, and the channel 


name. 


No error when using wrong credentials the first time they are entered. 


Only when entereing credentials on the next screen there will be an indication 
of incorrect credentials. 


Extractions finish with trace error: “No device found for merged project.”. 
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Detected 
in version 


Description 


Extraction finishes with the following errors when backup is not accessible: 
‘Failed to execute: AndroidBackupCloudExtractor’ 
Android backup Failed to restore backup” 


This will also occur when there were more than one backup, and the other 
downloaded successfully. 


When selecting a data source that contains backup and extracting it with 
Android backup | More data, the following error will be displayed: 


“No device found for merged project.” 
Android backup | Can access external apps only on Android 7 and below. 


Data source: Audio messages on skype are stored on the servers for 30-60 days after they 


Skype are played. 


Deleting the data for an extraction that was stopped by the user, causes some 
Extraction files related to the extraction to remain on the hard drive of the computer. 
These files are not accessible by the user. 


Extraction data may not be recovered if an unexpected error occurred during 


Extraction : ‘ ee: é 
the extraction. In this case, the best practice is to redo the extraction. 

Vj Emails in HTML view in the content pane [right pane] are limited to 1,000 

iew . : : 

characters. Use the regular view to review large emails. 
Reports cannot be generated when an extraction is taking place. You should 

Report either wait for the extraction to complete, or stop the extraction using the 
Extraction manager prior to generating a report. 
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9. Generating a report 


You can generate a report of the information in the project. Physical Analyzer provides a 
report wizard to help you through the steps of creating a report. 


To generate a Preliminary device report, see Generating a Preliminary device report (on 


page 268). 


To generate a report, perform the following steps: 


1. Select Report > Generate Report from the application menu. The Generate Report 


window appears. 


Generate Report 
Â General General 


Report Dataset File name: 


Samsung GSM_GT-i92 Save te 
Report sub directory: 
Security 


Project 
Formatting Format 
Table Sorting Case Information 


Examiner name: 
Location: 

Case number: 
Case name: 
Evidence number: 
Department: 
Organization: 
Investigator: 
Crime type: 


Notes: 


Update report settings 


Samsung GSM_GT-i9205 Samsung Galaxy Mega 6.3_2019-08-21_Report 
C:\JK_Work 
2019-08-21.15-58-56 


Samsung GSM_GT-i9205 Samsung Galaxy Mega 6.3 


UFDR (For Cellebrite Reader or Analytics) 


PDF Report 


HTML Report 


Excel Workbook (xlsx) 


Hene 


Excel 97-2003 (xls) 


Word report 


J 


XML Report 


Close 


Browse 


Cancel 


2. Enter the relevant information in the General fields. 


Enter or edit the name for the new report. 


The default report name is: project name date Report 


eg- Drone DJI= Inspire 2 2017=12=25_ Report 


File name 
When more than one project is selected, the default name is: 
[Project_name] date Report 
ed [Project_name] 2017-12-25 Report 
Save to Enter a location where the new report folder will be created. 
Report sub Enter a name for the new sub-folder containing the report(s). The default sub directory name is 
directory the current date and time. 
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Choose the project(s) to include in this report. Only projects that are already opened in Physical 


proie Analyzer are available for reporting. 
Choose report formatls). If multiple formats are chosen, a report will be generated for each 
format. 

Format 


Microsoft Excel 2003 reports that contain more than 65,536 rows cannot 


be opened in their entirety. 


Fields in red are mandatory. 


3. Enter the relevant information in the Case information fields. 


Listed are the default settings for these fields. See Setting the case 


information (on page 447). See Additional report fields [on page 436) 
and Report defaults [on page 438) for other defaults. Additionally, the 


last 10 values entered in these fields are also available in the drop 
down. 


4. Click Next. The Report dataset window appears. 
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9.1. Report dataset settings 


The dataset settings enable you to choose events between specific dates and what data to 
include in the report. 


Generate Report = o x 
~ General — Report Dataset - Samsung GSM_SM-G955FD Galaxy S8+ Rene Gade 


~ [E Time range filter 
Report Dataset 


C Only events between these dates 
Samsung GSM_... From: To: 


Security 
SS C Include items without a timestamp 
Formatting 
7 [=] Data types 
Table Sorting E Select/Deselect All Enter text to filte Q 
PDF Report Applications (3/3) Images (31303/31303) 
Archives (147/147) Installed Applications (100/100) 
Audio (247/247) Instant Messages (188/188) 
Autofill (4/4) Locations (9258/9259) 
Call Log (30/30) Passwords (355/355) 
Chats (60/60) Searched Items (14/14) 
Configurations (50/50) Shortcuts (1/1) 
Contacts (372/372) Social Media (79/79) 
Cookies (690/690) Text (4227/4227) 
|=) Preferences 
© Tags table (4/4) Redact all attachments 
Tags only (5/5) Include Hash set results 
Redact all attachments 
Select tags 3/3 O Redact image thumbnails 
Include merged items (analyzed data) 
Calculate SHA-2 (256 bit) hash O Include merged items (data files) 
Calculate MD5 (128 bit) hash Include conversation bubbles 
biciu taion LJ Include source info indication 
Include known files FEAN agli 
LJ Hide extraction source indication 


Include Malware scanner results Binclud apes 
Include Hash set results ae a 


Update report settings Previous Next Finish Cancel 


To complete the Report dataset settings, perform the following steps: 


1. To use the optional time range filter, in the Report range filter area select the Include 
only events between these dates check box, enter the date range and click Apply to 
update the data in the Extraction area. 


Select the include items without a timestamp check box to include 


events that do not have a timestamp. 


2. Under the Data types heading, select the analyzed data and the data files to be included in 
the report. 


The data types listed will vary based on the data available in the 
selected projects, and include all the data sets listed under Analyzed 


data and Data types in the project tree. 


Next to each data type, the number of items to be included in the report is displayed, 
alongside the total number of items of this type. The number of items included in the 
report may change based on your choices in the following sections. 


3. Under the Preferences heading, select the data to be included in the report. 


259 
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Tags table 


Tags only 


Select tags 3/3 


Calculate SHA-2 (256 
bit) hash 


Calculate MD5 (128 bit) 


hash 


Include translations 


Include known files 


Include Malware 
scanner results 


Include Hash set 
results 


Redact image 
thumbnails 


Include merged items 
- analyzed data and 
data files 


Include Reader 


Include conversation 
bubbles 
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Select to include tag table in the generated report. To specify which tag labels to 
include/exclude, click Select tags. 


Select to include tags only (disables all Data types except for Device info) in the generated 
report. To specify which tag labels to include/exclude, click Select tags. 


Click to select which specific tag labels you want to include/exclude in your report. 


This is usefulin cases where not all examiners should be exposed to all the tagged 
items in an extraction. 


Select which calculated MD5 and SHA256 hash keys to add to each Data Files item in the 
generated report. This selection is for the whole report and applies to all projects within 
the report. 


To shorten the report generation process of large projects, do not select the Hash 
options. 


Select to include translated text. 


This option enables you to include system images or files in your report. Clear this 
option to automatically filter out common/known/system images and save critical 
investigation time that would otherwise be spent reviewing media images such as device 
icons, or images that are included by default when installing apps. 


nclude results from Malware scanner. 


nclude results from hash databases run on the extraction. 


Select to redact image thumbnails from PDF, Word and HTML reports. 


Select to include merged data from the Analyzed data section and/or the Data files 
section of the project tree. 


The Include merged items options are unselected by default. When these settings are 
selected, your report will include all items including duplicate items. The total numbers 
of items selected for the report may change based on these settings. 


Select to share UFDR reports with authorized persons using the Reader. The Reader 
executable will then be included within the report output folder. This option is for the 
UFDR format only. 


Select to include the chat bubbles of the conversation in the report. 


To include the metadata of the chat bubbles make sure that the 
Include metadata in chat bubbles check box under Settings > 
Report Defaults is selected. 
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NS |: 


Include source info 
indication 


Include 
enrichments/Review 


Hide extraction source 
indication 


Include account 
package 


Include Activity sensor 
data samples 


Select to include the source file information (as displayed in the Source file information 
column). 


Select to include BSSID enrichments and Image classification. 


Select to hide extraction source types. If the check box is cleared, the report will indicate 
the type of extraction from which the field was obtained e.g., physical, logical, file 
system. If the check box is selected, the type of extraction will not be displayed. The 
check box is only relevant with the Multiple extraction feature. For single extractions, 
the extraction source type will not be displayed. 


Select to include an account package, which is an export file that contains user 
credentials. 


Select to include the sample data of all detailed measurements of the activity data. 


4. Click Next. The security screen appears. 
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9.2. Report security settings 


The report security settings includes two levels of protection: 


» UFDR protection: UFDR files hold sensitive, confidential and personal data. Adding this 
optional security layer enables you to better protect data contained in UFDR files. The 
Reader and Cellebrite Pathfinder solutions can automatically read UFDR files, even if the 
security layer is selected. If you are importing UFDR files into third-party tools, you should 
not select this option. 

>» Password protection: Apply password protection to Excel, PDF, UFDR, and Word reports. 


Generate Report = z! x 

General Security 

Report Dataset UFDR protection 
Protect UFDR files to increase the security of the data 

4 Samsung GSM_GT-i92... 
Apply to: UFDR 

Security 
Password protection 

matting Note: Add a password to further enhance report security. 
Table Sorting Apply to: üm 


UFDR (For Cellebrite R... Password: 


HTML Report Confirm password: 


Update report settings Previous Next Cancel 


To complete the security settings, perform the following steps: 

1. Select the UFDR check box if you would like to protect the UFDR file. 
2. Choose the report formats to protect with a password [optional]. 

3. Enter and confirm the password. 

4. Click Next. The Layout screen appears. 
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9.3. Report layout settings 


You can set the report layout to meet your agency's requirements. 


Generate Report — 
General Formatting - Table Sorting 
Report Dataset © View sorting 


Default sorting 
Root_2018-05-23_Rep... 


Security 

Formatting 
Table Sorting 
UFDR (For Cellebrite R... 
PDF Report 


HTML Report 


Previous Next Finish Cancel 


To complete the layout settings, perform the following steps: 


1. Select Default sorting to sort the items included in the generated report according to the 
default sorting set by Cellebrite for each of the Analyzed and Data file types, or clear 
Default sorting to sort the items according to the selected sorting field and the sorting 
order [ascending or descending) that was set by the user in each of the data display 
tables. 


2. For each format chosen for this report, you can specify report parameters as follows: 


Select to disable the separation and generate a report in which every data item is generated 
as a single section without subcategories separation. By default, a categorized report in 
Disable models which each category in the data items group is generated as a separate section in the report 
categorization is generated. For example, when generating a report with Call logs, select the check box to 
generate the Call logs as a single list, or clear the check box to break it to a separate list for 
each category of Call logs. 


Text area where you can enter and format custom text to appear in the report header before 


pore hearer the logo image. 


Click Select Image File to add the logo image to appear in the report header. Supported file 


Logo formats are: BMP, JPG, GIF, and PNG. 
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Logo Footer 


Show totals for 
items not in the 
report 


Show extended 
deleted state 


Number of lines 
for email preview 


Display full email 
body 


Number of 
messages per 
chat 


Display all chat 
messages 


Font Family 
Split HTML report 


Unprintable 
characters 
placeholder 


The Excel report 
is compatible with 
OpenOffice 


Generate Contact 
Identification Data 


Enter and format custom text to appear in the report footer after the logo image. 


Add a Total column to the report that displays the total number of items that were excluded 
from the report. 


Include the state (Intact, Deleted, or Unknown] of deleted items in the generated report. When 
not selected, logs only the state of deleted items as Yes, and is left empty for other states. 


Set the maximum number of lines from each email message to appear in the report. 


Display the entire message body. 


Set the maximum number of messages per chat message to appear in the report. 


Display all chat messages in the report. 


For PDF reports only. 


Ensure that each section of the report starts on a new page. For HTML reports only. 


Set the placeholder character to replace the unprintable characters. For Excel and ODS 
reports only. 


Select to ensure the Excel report can be opened in OpenOffice. For Excel and ODS reports 
only. 


Select to add a sheet to the Excel report that provides a list of unique contacts based on type. 
For Exceland ODS reports only. 


The parameters displayed will vary based on the report types you have 


chosen. 


3. Click Finish. 


Finish is unavailable until all the required fields are filled. A yellow 
warning icon is displayed next to all required fields that are not yet 


complete. 
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4. When the report is successfully generated, you are prompted to open the generated 
report file. The file opens using the associated application to the file format installed in 


the workstation. 


Once a report has been generated for the project, it can be accessed 
from the Reports section in the project tree. Double click on any of the 
generated reports to open it in the associated application installed in 


the workstation. Right click any of the generated reports to open the 
report file, or select Open containing folder to browse the files and 
folders of the report. 
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9.3.1. Formatting the UFDR file 


This window enables you to split the UFDR file and add Investigation notes. 


Generate Report I o x 
~ General — Formatting - UFDR (For Cellebrite Reader or Analytics) 
Report Dataset Split UFDR 
P Split UFDR file 

Logical 
Security 
Formatting 

. Investigati otes 
Table Sorting — 


In the Cellebrite Reader, the Investigation notes will appear as a separate tab in the Extraction Summary 


UFDR (For Cellebrite... 


HTML Report 


Cellebrite Reader report language 


Select the report language for the Cellebrite Reader application | E English 


Update report settings Previous Next Finish Cancel 


9.3.1.1. Splitting the UFDR file 


Splitting a UFDR file enables you to divide a file [too large to fit onto storage media] into 
multiple smaller files, for easy transfer. Select 700 MB for CDs, 4.7 GB for DVD, or a custom 
file size between 100 MB to 10 GB. When you open the UFDR that has been split into 
separate files, Physical Analyzer will automatically merge all the files into a single report. 


To split the UFDR file: 
1. Select the Split UFDR file check box. 


2. Select the required file size. 
3. Click Next. 


To open the split UFDR in Physical Analyzer select the main UFDR file 


(*.ufdr). 


9.3.1.2. Adding investigation notes 


lf required, enter notes in the area provided. These notes will be displayed as a separate tab 
in the Cellebrite Reader, under the Extraction Summary. 


Chapter 9: 266 
ee 


9.3.1.3. Cellebrite Reader report language 


In some cases, UFDR reports are shared with colleagues that need to review it Ina different 
language. You can set the default interface language when opening a UFDR report. This 
allows the Cellebrite Reader to load in the predetermined language without the need to 
configure this in the Settings screen. The setting is stored for any UFDR that is created. In 
Cellebrite Reader a message will be displayed if the report language is different from the 
application. 
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9.4. Generating a Preliminary device report 


Generate an ‘at a glance’ intelligence report that includes parsed device information and 
user account information. Such reports can be used as a quick reference for the lab, 
prosecutors, and investigators. 


This report includes the device info and a hybrid of the data in the User accounts. This useful 
‘at a glance’ data can inform the investigation units about where other 3rd party evidence 
may reside and identify if accounts known to the Investigation are still on the device. 


This PDF report can be emailed to the investigation unit as soon as Physical Analyzer has 
finished loading the extraction. 


To generate a Preliminary device report: 


There are two ways to generate this report: 


» From main menu, select Reports > Generate preliminary device report. 


Cellebrite Physical Analyzer 7.42.0.19 


Report Help Did you know? 


@ Generate report Ctrl+R 


© Samsung GSM_SM-G95... i Learn more O Extra Ø Generate preliminary device report a 


All Content File System 
Extraction Summary 


yv) Extractions: 1 


File System 

Samsung GSM SM-G955FD Galaxy S8+ 
File System [ Android ADB ] 

8/15/2020 10:39:09 AM(UTC-4) 


» In the Extraction summary click Generate preliminary device report. 


È —Leammore O Extraction Summary (1) x © Images (23) x © baseapkembedded tpg © Text 276) ~ © „hasset default valves aml © Extraction Summary (1) x 


Ald elation Add enteral fe Project setinge B Generate report Open Virtual Analyzer 


The PDF report will be generated and stored to the default reporting path location. 
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10. Performing extractions 


In Physical Analyzer, perform device extractions in the following ways: 


1. For iOS devices, perform physical extraction, file system extraction or Passcode recovery 
from the device using the iOS device extraction application. 


2. For GPS or mass storage, perform an extraction via Physical Analyzer. 


10.1. Extraction from iOS devices 


Perform a physical extraction from an iPhone, iPod, or iPad device, using the iOS Device 
Data Extraction wizard. 


Prerequisites 


To perform an extraction from an iOS device, you will need: 


» Physical Analyzer installed on a PC. 


» UFED Cable Number 110 or UFED Cable A with Tip T-110 or Apple 30 pin USB cable 
supplied with the device. 


» UFED Cable Number 210 for iOS logical extractions from iPhone 5, iPad Mini and iPad4. 


Extraction from iOS devices is not supported in Virtual Machine 


environments. 


In addition, an Internet connection is required the first time you run iOS device extraction in 
order to download the necessary support package. Alternatively, the support package can be 
downloaded using a different computer and copied manually to the computer running iOS 
device extraction. IOS device extraction automatically notifies you when a software update is 
available. 


iOS calendar events with a year value of 1604: In general, a calendar entry 
needs to have a year value, so, when it does not, the timestamp is 
automatically populated with the default year of 1604. Why 1604? Because 
it is unlikely that a 21st century user will have any event which happened 


in 1604 in their calendar, so it is a good indicator of a timestamp without 
a year. This is a leap year, so if the timestamp falls on 29 February, it will 
still be supported. 1604 was before the Julian-Gregorian calendar switch. 
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10.1.1. Physical extraction 


Perform physical and file system extractions for iOS devices. 


For a complete list of supported devices, refer to UFED Phone Detective or the UFED 
Supported Devices document in MyCellebrite. 


This feature is available with Physical Analyzer only. 


10.1.1.1. Performing physical extraction from non-encrypted iOS devices 


1. Select Extract > iOS device extraction or click lil to start iOS device extraction. 


iOS Device Data Extraction Wizard 


Choose an extraction type: 


Advanced Logical extraction 


Physical mode 


Information 


2. Click Physical mode. 

The first time that you run iOS device extraction, or when a new support package is 
available, you are prompted to download the iOS Device Support Package. The support 
package contains the latest utilities that enable iOS device extraction to work with a 
variety of devices and iOS versions. Depending on your Internet connection, the download 
may take some time. 
Click Install if the computer running Physical Analyzer has an Internet connection. 
If your computer is unable to connect to the Internet use a computer with an Internet 
connection to download the latest support package file as follows: 

a. Go to community.cellebrite.com 

b. Download the support package file called iOS Device Support and save it to the 

computer running the Physical Analyzer. 


c. When prompted to install the support package, click Install from file, then navigate 
to the location of the support package file, and click OK. 
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3. Follow the displayed instructions to power off the iOS device and then click The device is 


off. 


7 turn the device off 


Connect > Prepare > Extract data 


Press and hold the Power Slide to power off. 
button. 


Back to start 


4. Follow the displayed instructions to activate the iOS device in Recovery Mode. 


nect the device in recovery mode 


Connect > Prepare > Extract data 


DS 


Press and hold the Home Connect the cable while still 
button. holding the Home button. 


Connect Adapter A with 
T-110 (or Cable #110) to the 
computer and not to the 
device. 


The device is off > 


Keep holding the home 
button even after this 
image appears. 


The process automatically continues to the next step. 


PBiccesstutly entered Recovery Mode. 


Connect > Prepare > Extract data 


You can release the Home button now. 
Device Info: 


Device model: iPhone 4 CDMA 
iOS version: 7.0.3-7.0.6 
Serial number: C8THTKMNDPOV 


ECID: 0000023E80140CB5 
Board: n92ap 

iBoot firmware version: iBoot-1940.3.5 

Chip ID: 8930 
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After a device in Recovery Mode is detected, iOS device extraction displays some device 
information, such as serial number, hardware version, iOS version and more. 


5. Ifyou need this information, click Copy to copy the device information to the clipboard. 


When a range of versions are displayed, the version of the device may 
be any version within the displayed range. For example, if the version 


shows 4.0-4.0.2, the actual version can be 4.0, 4.0.1 or 4.0.2. 


6. Click Next to continue. 


7. Follow the displayed instructions to set the device to DFU (Device Firmware Upgrade] 
mode. 


pare the device for physical extraction 


Connect > Prepare > Extract data 


The device needs to be in DFU mode (Device Firmware Update) to enable data extraction. 


Press and hold both the When the device screen Release only the power 
Power and Home buttons. turns black, wait 3 seconds. button. Keep holding the 


home button. 


iOS device extraction does not affect the device firmware or user data. 


This step requires precise timing. If the device accidentally turns on, 


disconnect it from the cable, turn it off, then go back to step 4. 


When the device is in DFU mode, a forensics program required for the extraction 
automatically uploads to the device. 
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8. 


9: 


10. 


P icesstuliy entered DFU Mode 


Connect > Prepare > Extract data 


You can release the Home button now. 


The wizard is now uploading the forensic program to the device. This will take about a minute. 


Stage 7 out of 24: Uploading bootloader file (iBSS) 


Total Progress: 16% 


The device is now ready for extraction. 


Choose the desired extraction type. 


Teicose an extraction method 


Connect > Prepare > Extract data 


The device (iPhone 4 CDMA with iOS 7.0.3-7.0.6) is encrypted and protected with a simple passcode. All data can be 
fully extracted and decrypted in UFED Physical Analyzer. The passcode can be recovered automatically, if you don't know 
the passcode. 


z] Physical Extraction | Extract a physical image of the device's storage memory to your computer. 
EN File System Extraction | Extract all files from the device to your computer. 


[e] Passcode recovery | Recover the passcode so you can unlock and use the device. 
Extraction and Encryption FAQ Turn off the device and exit 


Choose the desired extraction method: 


» For Physical Extraction: User data partition, System partition, or both. 
» For File System Extraction: User data partition or both. 


Choose the location to which to save the extracted data. You can save it locally on the 
computer or to any removable storage device. 
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Connect > Prepare > Extract data 
Choose an extraction method 


© User data partition ( contains photos, email, text messages, contacts, settings, etc. ) 


© System partition ( contains only operating system files } 


@ User and system data partitions 


Where would you like to save the extraction ? 
@ My documents\My UFED Extractions 
O Desktop 


) Browse... 


Start extraction > 


11. Click Start extraction to continue. 


If the device is locked with a passcode, see Performing physical 


extraction from encrypted devices (below). 


12. Wait for the extraction process to complete. 


The duration varies depending on the extraction method, the device model, the amount of 
data on the device, the extracting computer, and other parameters. 


The following options are available at the end of the extraction process: 

>» Open in Physical Analyzer - Loads the extraction file in Physical Analyzer. 

>» Open file location - Opens the folder that contains the extraction files. 

>» Turn off the device and exit - Turns off the device and sets it back to normal mode. 
» Back to extraction options - Returns to the extraction methods screen (step 8). 


13. Turn off the device and set it back to normal mode. 


10.1.1.2. Performing physical extraction from encrypted devices 


iOS device extraction can extract data from encrypted devices. The amount of data that can 
be extracted depends on the type of passcode the device is locked with. 


There are two kinds of passcodes: 


» Simple passcode - 4 digits from 0 to 9 le.g. 1234, 8787, 2580, etc.) 


» Complex passcode - Any combination of numbers, letters and symbols [e.g. 93qP@ Mv, 
iLoVeYoU, etc.) 


The decryption process happens in Physical Analyzer and not during the 10S device 
extraction. Most data, such as contacts, messages, photos, some emails, and more, can be 
decrypted without knowing the passcode. However, to decrypt some of the saved passwords 
and emails, you need to know the device passcode. 


Chapter 10: 274 
Le 


If the device is locked with a simple passcode, IOS device extraction automatically recovers 
the passcode for you. If the device is locked with a complex passcode, you can manually try 
as many passcodes as you like, or continue the extraction without being able to decrypt 
some of the saved passwords and emails. 


If the device isn't locked with a passcode, all data is extractable - even if the device is 
encrypted. 


10.1.1.2.1. Extracting data from a device with a simple password 


1. Perform steps 1-7 of Performing physical extraction from non-encrypted iOS devices [on 
page 270). 


When the device is ready for extraction (step 8), an additional Passcode Recovery option is 
added to the two extraction options (Physical Extraction and File System Extraction). 


The Passcode recovery option provides the device passcode so you can unlock and use the 
device. 


2. To extract and recover the passcode Ina single process, choose Physical Extraction or 
File System Extraction. 


The following steps demonstrate a physical extraction process [starting at Performing the 
Data Extraction], but they are the same for a file system extraction. 


Teicese an extraction method 


Connect > Prepare > Extract data 


The device (iPhone 4 CDMA with iOS 7.0.3-7.0.6) is encrypted and protected with a simple passcode. All data can be 
fully extracted and decrypted in UFED Physical Analyzer. The passcode can be recovered automatically, if you don't know 
the passcode. 


il Physical Extraction | Extract a physical image of the device's storage memory to your computer. 


5 File System Extraction | Extract all files from the device to your computer. 


[e] Passcode recovery | Recover the passcode so you can unlock and use the device. 
Extraction and Encryption FAQ Turn off the device and exit 


Click Physical Extraction. 


Choose the partition you wish to extract, and the location where you want to save the 
extraction, then click Next. 


5. If you don't know the passcode, click Recover the passcode for me to recover the 
passcode prior to the extraction. 


6. Ifyou know the passcode, enter it in the text box field below. A check mark verifies if the 
correct passcode was entered. 


7. Click Continue. 


The extraction process starts. 
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10.1.1.2.2. Extracting data from a device with a complex password 


1. Perform steps 1-7 of Performing physical extraction from non-encrypted iOS devices (on 
page 270). 
When the device is ready for extraction, an additional Passcode Recovery option is added 
to the two extraction options (Physical Extraction and File System Extraction]. 


Use the Test Passcodes option to test and verify as many passcodes as you like in real 
time. IOS device extraction cannot recover a complex passcode. 

Most data is decrypted in Physical Analyzer, but some of the saved passwords and email 
files are not decrypted unless the complex passcode is known. 


The following steps demonstrate a physical extraction (starting at Performing the Data 
Extraction), but they are the same for a file system extraction. 


Click Physical Extraction. 
Choose the partition you wish to extract and the location to which you want to save the 
extraction, then click Next. 


The passcode is required for the decryption. 


Connect > Prepare > Extract data 


Use this option if you don't know the passcode: 


Recover the passcode for me > 


If you know the passcode, enter it here to save time: 


[ 


The passcode consists of four digits from 0 to 9. 


4. Do one of the following: 


» If you know the complex passcode, enter it manually. If you do not know the complex 
passcode, be aware that some data cannot be decrypted by Physical Analyzer. 


» Use the text field to test as many passcodes as you like without locking the device. A 
check mark appears when you enter the correct passcode. 


5. Do one of the following: 
» To start the extraction with the complex passcode, click Continue >. 
» To start the extraction without the complex password, click Continue without passcode. 


The extraction process begins. 
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10.2. Extraction from GPS or mass storage devices 


Extract and save data from a GPS device (Gamin, Mio, and TomTom] or a mass storage 


device. 


æi) Only administrator users can read data from GPS devices. If you are not 
logged in as an administrator, close Physical Analyzer, right-click the 


Physical Analyzer icon on your desktop, and select Run as administrator. 


This feature is available with Physical Analyzer only. 


1. Connect the GPS or mass storage device to your PC. 
2. Select Extract > Extract GPS/mass storage device. The following window appears. 


C.\Users\baraks\Documerts\My UFED Exractions (m) 
Total time: 


3. Select the device. 


4. Do one of the following: 
» Enter the path where you want to save the data extracted from the device. 


» Click [mama and browse to and select the desired location. 
5. Click Start. 
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Gamin GPS Device TomTom GPS Device 


Mio GPS Device USB Mass Storage Device 


6. Select the type. The extraction begins. When finished, the following message appears: 


) Do you want to open the newly created Dump? 


7. Click Yes to open the extraction. 


10.2.1. Reading data from a GPS or mass storage device 


Read and save data from a GPS device (Gamin, Mio, and TomTom] or a mass storage device. 


Only administrator users can read data from GPS devices. If you are not 
logged in as an administrator, close Physical Analyzer, right-click the 


Physical Analyzer icon on your desktop, and select Run as administrator. 


1. Connect the GPS or mass storage device to your PC. 


2. Select Tools > Dump GPS/Mass Storage Device, or click f. 
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5i 


b. 


T. 


C.\Users \baraks\Documents\My UFED Extractions (ana) 
Total time: 


3. Select the device. 


Do one of the following: 
» Enter the path where you want to save the data extracted from the device. 


» Click (mm) and browse to and select the desired location. 
Click Start. 


Gamin GPS Device TomTom GPS Device 


Mio GPS Device USB Mass Storage Device 


Select the dump type. The extraction begins. When finished, the following message 
appears: 


e Do you want to open the newly created Dump? 


Click Yes to open the extraction. 
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11. Advanced features 


This section describes some advanced features of Physical Analyzer such as: 


AL Bel dep NM May tas Sechelt So eens ands la Atel mace abe en te Miike a eke baie Seon aa a hs 281 
MEZ APPO ao ea tt Se nn al let See eeaeee e eaae 285 
Tiko. VictualANalyzer asc 5 ot accel ected se es eee di abheSiotee sai seal alaucebuntetetice 288 
Ike Accessing HUN sesde a ss ed e id Anadis Ea EEEE 300 
MES Seal OM cn Sia Se aise et on sett a ncaa aa as dohet ety ox, 307 
EAA NS ng tic E A EE E A E E 330 
11.7. Generating dictionary files a 0 hie tegen eps te ceca dag Gareeuueaeiel ined nae agate 333 
11:8; Wörking with TOTON 2c cfie tate teal netl tt ieetnnereebassaskadicdelnadseaga idd eE NEER 334 
11.9. Opening an encrypted extraction ya. toile ce te cudgel dpe eal Yue taety de bea waeluay 336 
11.10. Opening an encrypted zip file occ 002 pc sca sc eee vocas bute oe glgubede gh eds akbs ceded ceerebowansly 338 
11.11. Extraction and decryption of BlackBerry backup files ......0.2..00. 2.2222 c cece eee eee 339 
11.12. WhatsApp decryption on BlackBerry databases _........ 2... cece eee eee ee 340 
11.13. Exporting an account package from Physical Analyzer ............2.2..2.22.222222 2c ee eee 345 
1114: Media classification esisiini orero L ae e E ch Ane A EE ia ic Led ssiuia teh 346 
1119 CVG apps decoding essre i a ee aaa er E Teat 353 
PeO Biel 516 Image S sean a a a E E E E 357 
1117; Carving AON NS messo ea ihe espe E O E a Rite teen 361 
TEAS: Generic SC ate tessa. eta ee eee tare eu te seen E a Ea eee nese meee 363 
11.19. Verifying hash values 22sec 2neia die eoapetwssleci bila rlcbli i Up oe luteal benidtaleeceus uueesh ue ees 364 
11.20. Accessing WhatsApp Web data coyocc ccc cee ces cose cdue daa dee dace een gence deeituceuzawuesudes 365 
11.21. Network dongle - admin procedures ._.... 22.22.20... c 2 eee c ec e eee 369 
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11.1. App insights 


Browse the apps on the device sorted by category and select the apps for which you require 
additional data. Each category includes a list of related apps. The categories include store 
categories from Google Play and Apple App Store, as well as important categories defined by 
Cellebrite e.g., Hide files or folder (for suspicions apps] and Spoofing. Internal application 
Services are not displayed in this view. 


11.1.1. Extraction summary 


Extraction Summary + Add extraction <4, Add external file 4 Project settings E] Generate report Open Virtual Analyzer 
© Extractions: 1 Insights from Installed Apps 
Physical gô Social networking (77 apps) Developer tools (17 apps) 
Samsung GSM GT-i9506 Galaxy S4 
Physical [Bootloader] [E Chat applications us apes) Hide files or pictures (5 apps) 


[E Utilities (28 apps) News & Books (5 apps) 


a waay 


11/29/2015 7:59:09 AM 
AAA JH Lifestyle (22 apps) Music (3 apps) 
11/29/2015 8:51:41 AM 


DAExtractions\Samsung GSM GT-i9506... 


In the extraction Summary, you can see a snapshot of the app categories and the number of 
apps in each category. To see all the installed applications, click View all. 


11.1.2. Installed Applications 


From the Insights tab, you can browse the apps on the device sorted by category and select 
the apps for which you require additional data. 


@ Installed Applications (60) x 


Co} Installed Applications (60) 


Insights Table View 


Select apps for more data | 
Browse the apps found on this device and select to get more data from them. 
Note: Internal application services are not displayed in this view 


a No apps selected 


Eg ee 
> pE Games © B Apps no longer in store: 2 Oof 7 apps decoded by Cellebrite 
s Dfaia TER 
> B Lifestyle = B Apps no longer in store: 1 Oof 3 apps decoded by Cellebrite 
> 0 FE amine © STEN 
> O Í Finance = darapo by Calebais 
> O BB nea tools $ aaa ea 
> FE Music * Š Apps no longer in store: 1 Oof 1 apps decoded by Cellebrite 
> 0 EG crower aa ES 
> Š Health & Fitness B Apps no longer in store: 1 Oof 1 apps decoded by Cellebrite 
> m Education © Oof 1 apps decoded by Cellebrite 
> (S) Unknown © Apps may not be from store: 18 Oof 18 apps decoded by Cellebrite — Y 


This view shows all the categories found on the device. You can select an entire category with 
all the apps or browse and select individual apps. It also includes Apps that may not be from 
the store i.e., could be installed from other sources besides the actual official apps stores [ 
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+ : ; ; 
SONER DETSE ) apps that are no longer available in the app store [ 


& Apps no longer in store: 1 ) as well as how many apps in the category were successfully 


decoded [ 6 of 19 apps decoded by Cellebrite ). 
The following table explains the icons and fields displayed in the window. 
11.1.2.1. App actions 


Icons and 
fields 


Description 


Apps that were decoded by Cellebrite. 


gst Generic Cellebrite representation of the app. If possible, app icons are displayed from Google Play 
or the App Store. 


|=] Apps that the user installed and are no longer available in the store. 


Categories where apps are not supported by AppGenie by default. You can change this limitation in 


= the settings window (General Settings > Decoding). 

ra) Click this image next to each app to view a description of the app as it appears in Google Play or 
the App Store. The first 500 characters are displayed. 
You can filter the apps by selecting the following options: 
»» Emulatable apps: Only show apps that can be emulated by the Virtual Analyzer. 

Refine by »» Not decoded by Cellebrite: Only show apps that were not decoded by Physical Analyzer. 


Click Clear filters to rest the filters. 


Searchapps | Enter text to find the app. 


Expand all f 
Expand or collapse all the apps in each category. 
Collapse all 
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To get more data from apps: 


1. Select the required apps. The selected apps appear in the area on the right. 


~ 4apps selected Remove all 
f Facebook i 
com.facebook.Facebook 
og Messages x 
4 com.apple.MobileSMS 
S 
O ii x 
com.skype.skype 
Viber 
8: x 
com.viber 
v 


2. To get additional information select the tools you would like to run. Select from the 
following tools (the tools are not applicable for all apps): 
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» AppGenie: App Genie is a research tool that provides additional app data such as 
Contacts, User accounts and Chats. The tool's availability depends on the selected app 
categories. You can change this limitation in the settings window (General Settings > 


Decoding). For more information, see AppGenie (on the facing page). 


>» Virtual Analyzer: This tool is only enabled for Android devices. Additionally, a maximum of 
5 apps can be selected and these apps must support emulation. For more information, 


see Virtual Analyzer (on page 288). 
» SQLite wizard: This tool is only enabled for applications with databases. For more 


information, see SQLite wizard (on page 307). 


11.1.3. Table view 


@ Installed Applications (60) x 


(0) Installed Applications (60) 


Insights Table View 
pea 
Clear filters g |g 


-v Decoded by v T Name 


oo 


App Store 
1 “ 3 AppBox Lite 
i v 4 Bejeweled 2 
1 7 5 Calcalist 

[i] v 6 Calculator 
L] id 7 Clock 

i 7 8 Compass 

[i 7 9 Cellebrite Contacts 

i 7 10 Cydia 

1 v 11 DemoApp 
I 7 12 DM SOTU 

r 7 13 Cellebrite , AppGenie Facebook 

i 7 14 Flashlight 

ry 7 15 iGO My way 
| v 16 Installous 

[i 7 17 iPodOut 

i 7 18 LogMeln 


< 
Total: 43 Deduplication:0 Items: 43/60 Selected: 43 


Export ¥ Filters ¥ Actions ¥ | Tab 


Y Version ¥ Categories 


[E Utilities 


[Utilities 


+ App may not be from store 


App may not be from store 


[E Utilities 
[B Utilities 
fH Utilities 
[E Utilities 
+ App may not be from store 
+ App may not be from store 
+ App may not be from store 


17 Social networking 
©) chat applications 


[E Utilities 


+ App may not be from store 
+ App may not be from store 
+ App may not be from store 


[E Utilities 


p 
A 


v Identifier 


com.apple.AppStore 


com.e2ndesign.9-tooll 


com.popcap.bejewelet 


RN9Z982GT5.Calcalist. 


com.apple.calculator 
com.apple.mobiletime 
com.apple.compass 
com.apple.MobileAdd 
com.saurik.Cydia 
comapple.DemoApp 
com.brandedresearch. 


com.facebook.Facebor 


com,johnhaney Flashli 


nng.igomyway.wwe 
com.hackulo.us.install 
comaappleiphoneos.if 
com,logmein.ignition 


> 


uonesyddy payeysuy 


From the Table View tab, you can view the applicable categories for each app or if the app 
may not be from the sore. You can also filter the table by category. The decoded by column 
indicates if the app was decoded by Celllebrite and/or a tool such as AppGenie, Virtual 


Analyzer or the SQLite Wizard. 


Switch to the Table view to see a list of installed apps and their categories 
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11.2. AppGenie 


AppGenie is a research tool that tries to automatically identify specific artifact types from 
device databases. AppGenie analyzes databases based on past decoding support, heuristics 
and can provide additional app data such as Contacts, User accounts, and Chats. 


As a research tool, the suggested results do not replace native Physical Analyzer decoding 
and should be used as preliminary/triage results for manual review, because it may include 
false-positives and partial results. It’s recommended to review results before including them 
in your reports. 


To run the AppGenie: 


1. Select Tools > AppGenie. The following window appears. 


AppGenie >] 


nie? 


lly i 


2. Click Next. The following window appears. 
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AppGenie | = | 
Browse the apps on the device sorted by category and select the apps for which you require additional data 


Active project: @ Samsung GSM_GT-i9205 Samsung Gal 


Refine by: ¥ Expand all Search apps a No apps selected 
> ia) Social networking B Apps no longer in store: 1 10 of 18 apps decoded by Cellebrite 
> =) Chat applications B Apps no longer in store: 1 9 of 15 apps decoded by Cellebrite 
> E| Utilities © B Apps no longer in store: 3 3 of 12 apps decoded by Cellebrite 
> = Lifestyle © B Apps no longer in store: 3 1 of 10 apps decoded by Cellebrite 
> x) Games © O Apps no longer in store: 2 1 of 9 apps decoded by Cellebrite 
> È Developer tools © O Apps no longer in store: 2 2 of 8 apps decoded by Cellebrite 
> =] News & Books © 0 of 4 apps decoded by Cellebrite 
> ta] Hide files or pictures © 0 of 3 apps decoded by Cellebrite 
> $ Entertainment & 1B Apps no longer in store: 1 0 of 3 apps decoded by Cellebrite 


No apps selected 


The actions and information displayed in this window are explained under App insights [on 
page 281). 


If you have more than one project open, select the Active project. 


Select the Categories and apps from which you require additional data. You can search for 
the app, or add filters to refine the displayed apps by Emulatable apps or apps that were 
not decoded by Physical Analyzer. 


5. Click Open AppGenie to access the Summary window. The following window appears. 


AppGenie summary 


Selected project: ® Samsung GSM_GT-i9506 Galaxy S4 


6 apps selected 

GO SMS Pro com,jb.gosms 
Hangouts com.google.android.talk 
Instagram com.instagram.android 


InstaMessage-Chat,meet,hangout —_com.futurebits.instamessage.free 
icq video call & chat com.icq.mobile.client 


Google+ com.google.android.apps.plus 


=" 


6. Click Start. The following window appears. 
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AppGenie is getting more data 


App Genie is parsing Hangouts 
eer 


| Cancel 


The new artifacts are displayed in the Analyzed Data tree under Manual data collection. 


Analyzed Data 


Application (420) 
Calendar (67) 

Calls (490) 

Contacts (1385) 

Devices & Networks (717) 


Location Related (3888) 


Manual Data Collection (5699) 


Genie: Chats (1433) 
Genie: Contacts (4115) 
Genie: Locations (38) 
Genie: Passwords (61) 


Genie: User Accounts (52) 
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11.3. Virtual Analyzer 


The Virtual Analyzer enables you to view your data as if you were using the owner's device, 
validate decoded artifacts and recover data from unsupported apps. It requires an active 
Physical Analyzer license. The Virtual Analyzer is based on the Andy OS emulator, which is an 
external tool that simulates an Android device on your computer. 


This emulator supports up to Android OS 7.0. The Virtual Analyzer tool complements other 
generic solutions such as SQLite and Fuzzy Models. To use the Virtual Analyzer, you need 
APK files, which are only extracted as part of Physical extractions (and some file system 
extractions). 


To run the Virtual Analyzer: 


You can now run the Virtual Analyzer in the following ways: 


» Click the Open Virtual Analyzer button in the Extraction Summary. 
» Right-click an app in the Installed Applications model and select Open in Virtual Analyzer. 
» Select Tools > Virtual Analyzer. 


The above options are not available until an extraction with APK files is 


added to Physical Analyzer. 


For more information, see the following topics: 


Online/offline mode [on the facing page) 


Virtual Analyzer notes (on page 290) 


Installation process [on page 291) 
Using the Virtual Analyzer [on page 294) 
Emulation options [on page 299) 
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11.3.1. Online/offline mode 


Apps which require Internet connection may not work properly or not have all the data. 
Running an app in the Virtual Analyzer is like running it in airplane mode. The default offline 
mode in Virtual Analyzer restricts Internet connectivity, so actions performed in the emulator 


are not synced with the app’s Servers. 


Working online can subject your evidence to changes while syncing. 


Additionally, you will not be able to revert any changes that may occur. 


To switch to online mode: 
1. Contact Cellebrite Support for the configuration file to enable online access. 
When selecting apps, the virtual Analyzer will now have the option to switch between 


online and offline mode. 


Virtual Analyzer is set to work with no Internet connection 


Some apps need to be connected to the Internet to work with the Virtual Analyzer. 


Internet connection 


@on 


You are about to connect the Virtual Analyzer to the Internet. Working online can subject your evidence to changes while syncing. 


You will not be able to revert any changes that might occur. 
[ene] 


2. Click the switch to On. 
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11.3.2. Virtual Analyzer notes 


>> 


» 


» 


» 
>> 


>> 


>> 


» 


» 


» 


>> 


>> 


>> 


The Virtual Analyzer installation may not complete successfully if graphics drivers are not 
fully updated. If you encounter installation errors, update your display drivers, restart your 
computer and try again. 

The Virtual Analyzer installation may not complete successfully if the VMware Player is 
already installed. If you encounter installation errors, uninstall the VMware Player and 
then try again. 

To install the Virtual Analyzer, VT-x must be enabled in your machine's BIOS. If you 
encounter errors during Andy OS installation, check that the VT-x is enabled in the BIOS. 
In every computer the steps for enabling it might be slightly different, but in general, in 
the BIOS settings you should look for are Advanced > CPU Configuration > Intel 
Virtualization Technology (VT-x] or something similar, change it to Enabled and click on 
Save and exit. 

The Virtual Analyzer is a generic Android solution, but currently does not support all apps. 
The Virtual Analyzer only displays the data as displayed by the device. Deleted files or 
metadata that are not displayed by the app, will not be displayed in the Virtual Analyzer. 
When running for the first time, or each time after closing the emulator window, the 
Virtual Analyzer performs a clean restart, and therefore takes longer to load [it’s like 
restarting a mobile device). 

If the emulator window is open, you can load additional apps to the current session. The 
Virtual Analyzer window will be hidden until the new apps finish loading. 


To maintain data integrity, you cannot load APKs from different Physical Analyzer 
projects, into the same Virtual Analyzer session. 

UFDR files of physical extractions that include “Uncategorized” data files can also be 
used in the Virtual Analyzer, but not in Cellebrite Reader. 

The data in the Virtual Analyzer is writable [you can change the data presented in the 
Virtual Analyzer, such as delete a message from a chat, enter text etc.). The extraction 
itself will not be affected at any time. If the app will be re-opened in the Virtual Analyzer, 
your changes will not be saved. The Virtual Analyzer itself does not save the data, for each 
Virtual Analyzer session on a specific extraction, it will start from a clean slate. 

The Virtual Analyzer is a “virtualization” solution. Working ona virtual machine may 
cause it to work very slowly or not at all. We recommend working with Virtual Analyzer on 
a physical computer. 

Apps work the same way as If the device was in flight mode. App errors, pop-up windows, 
apps that are partially working, or not working at all could be due to no Internet 
connection. 

Stopping the emulation of an app in the middle might cause the Virtual Analyzer to 
restart and loaded apps will need to be re-loaded. 
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11.3.3. Installation process 


To install the Virtual Analyzer: 


1. Select Tools > Virtual Analyzer. The following window appears. 


New to Virtual Analyzer? 
View your data as if you were using the owner's device. 


*Available for Android OS 


earn more 
Note: The Virtual Analyzer cannot change the extracted data in UFED Physical Analyzer. 
Additionally, the default offline mode restricts Internet connectivity, so actions performed in the emulator are not synced with an app's servers. 


2. Click Let's start. The following window appears. 


Installation required 
To use the Virtual Analyzer, you need to install the AndyOS emulator. © 


Click “Download” to start downloading from the web. 


Cancel Download 


3. Click Download and wait for the file to download. 
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If you do not have Internet access, you can download the Virtual 


Analyzer from MyCellebrite > Downloads. 


4. Unzip the VirtualAnalyzerSetup. zip file and then double-click the Andy setup file 
to start the installation process. The following window appears. 


Cellebrite - Andy OS Setup = x 


e*. +t Cellebrite - Andy OS 
EJ . 


o D 
Terms of Service 


Andy OS Inc(" Andy ") makes information and 


products available on this web site, subject to the 
following terms and conditions. By accessing this site, ņ 


O Accept and Install Close 


5. Click Accept and Install. 


6. If required, click Yes to accept the Window account control warning to allow the app to 
make changes. The following window appears. 


Cellebrite - Andy OS Setup = x 


e*+* Cellebrite - Andy OS 
ə e 


Setup Progress 


Processing: AndyPrelnstall 


Cancel 


7. Follow and setup instructions and then wait for the setup process to finish. The following 
window appears. 
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8. 


Cellebrite - Andy OS Setup 


e*+* Cellebrite - Andy OS 
eo . 


Installation Successfully Completed 


Click Close. 


Close 
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11.3.4. Using the Virtual Analyzer 


1. Use the Case wizard to add a physical extraction, then click Start decoding. 


v lo 


Whats mewt 
Sepang EA ET E A, traction Summary (2) x © Extraction Summary (1) 
Allcontent | Advanced Logical Physical 


Extraction Summary 


Analyzed D: 


aisne Logical ? 
Samsung GSM GT-0205 Sansung Gala. 
‘avanced Logical 


A756 AM +0200 


sna 


3/18/2020 112036 AM +0200, 
CAUsariShosnanahe\ Desitop\2020:03- 


Cloud info 


TRDOTI Sia) AM 
\otrael Wem Dis\Sheshenshe\Docum. 


UFED CLOUD su ae y k 


+ Add extraction E Aad external he D Project settings E Generate report $ Open Vital Analyzer 


Insights from Installed Apps 


2. After the extraction finishes decoding, run the Virtual Analyzer. The following window 


appears. 


Select applications you want to view in Virtual Analyzer 


Active projects | @ Samsung GSM_SM-N915G Galaxy Note Edge 


0 Apps selected 


Hide unsupported apps 


Decoded by Installed on File size 
0.02 MB 
T MB 
AMU... OMB 
38:18 PM(U... 0 MB 
7/27/2017 1:42:34 PM(U.... 0 MB 
lebrit Me 
MB 
Cellebrite 73 MB 
3 MB 
Cellebrite M( 2 MB 
Cellebrite 017 9:05:43 AM(L MB 
7/27/2017 1:38:38 PM(U.... 0 MB 
Cellebrite 8/7/2017 1037:48 AM(... 7442 MB 


3. Click the Hide unsupported apps link to hide the apps that cannot be emulated. 


4. Select the apps that you want to view in the Virtual Analyzer and then click Next. You can 
select a maximum of 5 apps. A message is displayed that the selected apps are being 
prepared for Virtual Analyzer and that the process takes time to complete. The following 


window appears. 
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Virtual Analyzer set-up summary 


Selected project: ® Samsung GSM_SM-N915G Galaxy Note Edge 


3 Apps selected 

BBM - Free Calls & Messages com.bbm 22.23 MB 
Badoo - Free Chat & Dating App com.badoo.mobile 25.72 MB 
Facebook com.facebook.katana 309.48 MB 


Good to know: 
© Some apps need to be connected to the Internet to work with the Virtual Analyzer. Learn more 
e Starting the Virtual Analyzer and loading apps data may take some time. 


e The process installs the relevant APKs and copies the app data. 


Ca 


This summary window explains what is going to happen in the following step. It displays 
the selected project, the selected apps and the size, and additional information. 


The more apps you select the longer it will take to prepare the apps in 


the Virtual Analyzer. 


5. Click Start. The following notification appears. 


Preparing selected apps for Virtual tx} 
Analyzer 


Starting the Virtual Analyzer. This might take a few minutes... 
= 


Stop Virtual Analyzer 


After a few minutes depending on the number and size of the apps the Virtual Analyzer 
appears. 
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6. Select the required app. 
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Cellebrite - Andy 47.0.1153 


eo 


@ James Bond 
(e Halley, James 


The following example shows a chat conversation for the selected app. 
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Cellebrite - Andy 47.0.1153 
@o 
Walkie 


@ the! 

gm FPN YUU Hires niu 
by uploading a photo of EENEG 
yourself here: 


web.vomer.com/myprofile 


(or send me a picture and 
NI change it for yout) 


(ox send me a usemame 
and Mil set it for you.) 


Talk to friends who aren't 
on Voxer yet by sending an 


invite: 


web voxer com/invite 


With Voxer PRO you cen 
now transcribe audio 
messages into text! Sign up 
for PRO today. https//web 
voreccom/upgrade 


Ox Ò &® 4100 


Use the Screen capture tool to capture images or videos of any 
relevant evidence and include them in the project. For more 
information, see Recording screen captures and video [on page 186). 
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11.3.5. Emulation options 


The following information can be found in the Andy OS User Manual. For more information 
on using Andy OS, see the Andy OS User Manual. 


Camera 


Microphone 


Location 


Keymapper 


Menu 


Orientation 


Fullscreen 


Multitasking 


Pick the camera you want to use inside Andy. You can switch between cameras 
on-the-fly. You can also disable the camera entirely. 


Pick the microphone you want to use with Andy. You can also disable the 
microphone entirely. 


>> Auto: Andy uses your system location if available. If not, your IP location will be 
used instead. 
>> Manual: Andy uses the location you set manually in the GUI. 
»> Latitude: Adjusts latitude coordinates. 
>> Longitude: Adjusts longitude coordinates. 
»> Altitude: Adjusts the altitude. 
»> Accuracy: Adjusts how accurate the location reading is. This affects the blue 
circle around the indicator in Google Maps for example. 
»> Bearing: Adjusts the direction you are facing. 


»> Address: You can enter an address and hit Enter, this will take you to that 


address on the map. 


Andy automatically picks the right keymapper configuration file for the running 
application from the designated folders. You can, however, manually choose a 
different configuration file at any time. 


Not many applications use the menu button anymore. But for those old-school 
applications that do, you will be prepared. 


Andy switches its orientation intelligently based on the running application. If, 


however, you feel like changing the orientation manually, use this button. 


Andy enters the Fullscreen mode for a more immerse experience. The hotkey for 
this is F11. Or you can set Andy to start in Full screen. 


To multitask in Andy and switch between running applications, simply press the 
square icon next to the home button [circle]. This will open a window with all 
running applications which you can choose between. Pressing the home button 
while inside an application will not close it, but rather minimize it. To quit an 
application, you will need to access the multitasking menu then flick it off the 
screen. This will close the application completely and free up RAM and resources it 
was using. 
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11.4. Accessing public data 


Publicly available data from social media channels has positively impacted Investigations of 
all kinds, and has proved to be an excellent supplement. However, up until now many of the 
existing methods have been manual, time consuming and ineffective. 


Physical Analyzer enables you to extract and preserve public domain, forensically sound data 
in one workflow. With an active Physical Analyzer license, you can enrich your extracted data 
sources, and quickly reveal evidence hiding in plain sight on Facebook, Instagram and 
Twitter. 


To use this capability, you need to have an Internet connection available. 


For more information, see the following topics: 


Extracting the data (on the facing page) 


Creating a public domain avatar (on page 305) 


Extracting public cloud account data (on page 234) 
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11.4.1. Extracting the data 


You can extract a person's public data by providing an avatar!. Physical Analyzer will use it to 
log in to the data sources and extract public data about the person. 


The data available for extraction is dependent on the relationship between the chosen avatar 
and the profile being extracted {for example, a friend of a friend may be able to extract more 
data than a stranger]. Public data is available for the following models: Contacts, Call logs, 
Chats, Email, and Instant Messages. An example with public data is shown next. 


To extract public data: 


1. Click the @ icon to see if there is more information on the person. The following window 


appears. 


1A social media profile that you can use to extract public data. Note: Avatars are public 


profiles, and as such, are exposed to public review. 
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Public data 


To extract a person's public data, 
create or activate an avatar 


Create avatar 


2. Click Create avatar. The following window appears. 


Manage avatars X 


Manage public domain avatars © 


+ New avatar 


User account Password Last validated Data source Active 


If you have already created at least one avatar, you can skip this step. 


3. Create the avatars. For more information, see Creating a public domain avatar [on 
page 305). 
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4. 


009393292710 public data 


Extract public data 


Now you can extract a person's public data directly into UFED Physical Analyzer. 
To do so, provide an avatar, and we'll use it to log in to the data sources below and extract public information about 100009393292710 


What is an avatar? 


Data sources to be extracted: 
Ei Facebook © Avatar available Manage avatars 
Instagram © Avatar available Manage avatars 
a Twitter © Avatar available Manage avatars 


Don't show again Cancel 


Click Continue. The following window appears. 


ctor public data 


Allan Victor 


All | Facebook @ | Instagram @ | Twitter @ 


Profile pictures 


Account name Facebook Allan Victor a 
Gender Facebook Male 

Account ID Facebook 100003934803107 

Education Facebook Studied at E.E. Dr. Honorio Monteiro 


Facebook Studied at Galera, Do CEU VILA Do SOL -2012 
Facebook Went to ensino fundamental 


Current city Facebook São Paulo, Brazil 

Language Facebook Portuguese (Brazil) and Canadian English 

Relationship Facebook In a relationship with Horlene Oliveira since May 30, 2017 
Family Facebook Adlam Pereira Lima Junior 


Facebook Priscilamayara Lima 
Facebook Dany Lima 
Facebook Danilo PI Pereira de Lima v 


Close Extract public data 


This quick view shows the public details of the person and profile images, including 
account name, account ID, gender, education, age, occupation, relationship status etc. 


Public data may not be available for some people. 


Click Extract public data to generate a full extraction of this person's public data. The 
following window appears. 
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Select a date range 
Last Year 
®© Last Month 


Set custom range 


Create a report 
Cloud extraction data will be displayed in the project tree as a new extraction, but won't be saved. 
To save the cloud data, create a report. 


{¥] Create a report from this extraction 
Report will be saved here: 


\\ptnas1\Home_Dirs\jonathank\Documents\My Reports {0 


(ean = 


6. Select a date range for extraction: Last year, Last month or set a custom range. 

7. \f required, select the Create a report from this extraction check box and specify the 
location of the report. The generated report is in UFDR format. The report includes all the 
extracted public data for this person so data will not be lost when you close the 
application. Once the extraction is complete you can view the data as a new Separate 


project. 


The extracted public data will be displayed in the project tree as a new 
extraction, but the data will not be saved. To save the public data, you 


need to create a report. 


8. Click Start extraction. 
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11.4.2. Creating a public domain avatar 


An avatar! is a social media profile that you can use to extract public data. It's not 
recommended to use a private account. When selecting an avatar, keep in mind that it's 


exposed to public data view. 


To prevent the Twitter account from being locked, it’s recommended to 


add a mobile number to the source account. 


To create an avatar: 
1. From the Tools menu select Manage public domain avatars. The following window 


appears. 


Manage avatars 


Manage public domain avatars © 
+ New avatar 


User account Password Last validated Data source Active 


2. Click New avatar. The following window appears. 


1A social media profile that you can use to extract public data. Note: Avatars are public 


profiles, and as such, are exposed to public review. 
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Manage avatars 


New avatar 


Data source * 


Email/username * 


Password * 


Select the data source: Facebook, Instagram or Twitter. 
Enter the email or username. 
Enter the password. 


Click Validate. A message is displayed that the avatar was validated successfully. 


ae ae 


Click Add to add the avatar. The following window appears. 


Manage avatars 


Manage public domain avatars © 


+ New avatar 


User account Password Last validated Data source Active 


From this window, you can add additional avatars, activate or deactivate an avatar, edit 
the credentials for the avatar or delete an avatar. 
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11.5. SQLite wizard 


With the SQLite wizard you can visually decode additional data from databases, particularly 
from unfamiliar databases that were not decoded and may contain important case 
information. This tool enables you to build queries and map database fields to Physical 
Analyzer models. Generated reports indicate fields that were manually decoded using this 
tool. 


All queries are managed in the SQLite query manager, where you can select to auto-run the 
query as part of the automatic decoding process, and save a query for future use. 


Encrypted content and attachments are not yet supported. 


This tool is for a single database only. 


To use the tool, you need to perform the following steps: 


» Identifying a database (on the next page] 
» Building the query (on page 311) 


» Mapping data [on page 321) 
» Running the created query (on page 327) 


Enhance your forensic skills and learn more about SQLite database structures with the 
following recommended training course: 


Cellebrite Advanced Smartphone Analysis (CASA) 


4-day, Expert-level Certification 


+++ W Participants will learn to: 
Cellebrite 


CASA É » Conduct in-depth examination, forensic recovery of application 
X data in SQLite databases 


» Use techniques to defeat passcodes 


» Analyze user data and system artifacts in iOS and Android 
devices using Physical Analyzer and third-party tools. 


» Create reports using physical analyzers / SQLite Wizard 
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11.5.1. Identifying a database 


Select a database from the list of databases under Data Files. You can also access the 
SQLite wizard from the Tools menu or button. In Databases view, you can see whether the 
databases were decoded by Physical Analyzer, manually decoded by the SQLite wizard or not 
decoded at all. We recommend that you select a database that has not yet been decoded. 


To select a database that was not decoded: 


1. In Analyzed data tree under Data Files select Databases, or click Tools > SQLite wizard > 
Select database. The Database tab or Select database window appears. 


Only SQLite databases are displayed in the Databases window. 


2. In the Decoded by column, select the (Blanks) check box so that only databases that are 
not decoded are displayed. An example is displayed next: 
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s | Sort Ascending 
= | Sort Descending 


E] Select All 
(Blanks) 
Cellebrite 


Cellebrite. User 


User 


Cellebrite 


Cancel 


The options in this window are as follows: 


Select All Selec 
(Blanks) Selec 
Cellebrite Selec 
Cellebrite, User Selec 


User Selec 


3. Select the required database, right-click and then select Open in SQLite wizard . The 


all databases. 
only databases 
only databases 


only databases 


only databases 


ha 


ha 


ha 


ha 


were not decoded. 
were decoded by Physical Analyzer. 
were decoded by Physical Analyzer or manually decoded. 


were manually decoded. 


SQLite wizard starts and the following window appears: 
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Use this tool to decode additional data from databases. Build queries 
to map database fields to UFED Physical Analyzer models. 


To learn more about this tool, click here 


Application Facebook 
Name Facebook_Untitled 


Include deleted rows 


Note: Including deleted data increases the chances of false positive records. 


The application name is displayed only if the application can be 
identified by the system. This field can be edited. 


Enter a name for the query. 


Select the Include deleted rows check box, if you want to include deleted data. Including 
deleted data increases the chances of false positive records. 
6. Click Next. The following window appears. 


Double-click or drag the database tables to the work area and link database fields. 


Query builder DB viewer 
eee 


4 E main 
t © android_metadata 
b [E] bookmarks 
b [E bookmark_group 
b [E] bookmark_group_order 
b [E] bookmark_sync_status 
> [E] _shared_version 


Visible Expression Column Name Sort Type Sort Order Aggregate El Grouping Criteria 


Preview Max results: | 10 Preview Count: 


Previous 
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11.5.2. Building the query 


After identifying the database, drag the database tables to the work area, and create 
relationships between tables that will automatically generate a SQLite query. Alternatively, 
you can write your own SQLite query. You can then preview the results. 


Advanced options can be used for renaming, sorting, linking and grouping 


capabilities. See Advanced options [on page 318). 


To build the query: 
1. Click the DB viewer tab to review the databases and fields. 
2. Double-click or drag the database tables to the work area. 


Drag database tables to the work area and bnk database fields. 


Query builder | D8 vie 


EE bookmark syne stats 
E shared version 


bookmark_group-group d 
‘bookmarks group. id 
‘bookmarks bookmark name 
‘bookmarks bookmark url 


group — group idl 


ist London, United Kingdom Area hetps/Mostatic-aakamardnevrsre heM2/) 


253Aitem category fer 


1 Database tables area 
2 Work area 
3 SQLite query area 


4 Preview area 


In the Max results list, you can select the maximum number of results 
to be displayed in the Preview area of the window, or you can the 


default value (10 results). 
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3. If required, you can link (join) fields from different tables. This is useful if you need to 
combine records from two tables with matching values in a field common to both tables. 
Other actions, such as adding a derived table, adding common table expressions, using 
unions and setting properties, are also available. 


You can also edit or enter SQLite queries in the space provided. 


4. Click Preview to preview the results. 


Make sure that the selected query is correct before you click Next. The 


query cannot be edited in the following steps. 


5. Click Next. To help you map the relevant fields and columns, the results are simulated in 
the right pane view. 


For examples of the model types and field descriptions, see Model types and descriptions 
(on the facing page). 
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11.5.2.1. Model types and descriptions 


The following examples show some of the model types as well as explanations of the fields in 
these models. 


11.5.2.1.1. Contacts 


Select an existing UFED Physical Analyzer or generic model 


Contacts 


Drag field types to the columns you want to map in the table below 


ap Notes, Group | „p, Contact Type 3, Modified 


A) Addresses 


= a 
Stes 
rouge 
conus 
Created: 5/25/2015 10:33:06 AM[UTC +0) 
Modiñed: 
© orgeniations Last time contacted: 10/25/2015 125235 PNIUTC+0) 
Tinesenitacist 1 
irais Physical 
EEES Ae E oS es Fra T “ape 


Source file: userdata (ExtX)/Root/data/ 
com.facebookkatana/databases/ 


| contacts db? : 0x0 (Size: 225280 
bytes) 
Details 
https://fbcdn-profile-a.akamaihd.net/hprofile-ak-xty 


Frank Enstein https://focdn-profle-a.akamaihd.net/hprofile-ak-atal/v/tL0-1/ 7/23/2015 8:55:27 AMUTC+0) |1 10/25/2015 12:52:35 PM(UTC+0) 
€7.980.80/ aa 
p80x80/10407849 109379569404469 _7696596661627570401_njpg? Organizations 
oh=d15f8d4471546e576bf470d9b3060ffb8oe=56C16278&_gda_=145 
5547339_27b6c4785442fd1a89604799223ae9eb 

Panpan Phyoe httpsy//fbcdn-profile-aakamaihd.net/hprofile-ak-xta1/v/t1.0-1/ 7/23/2015 22659 PMUTC+0) 1 10/25/2015 12:5235 PM(UTC+0) 
p80x80/11265054 1457798334545277 _686192112156418914_njpg? Addresses 
oh=8dae2f5b2d61d221eb1ba510a54170658&0e=56D37D218_gda_=14 
54681040 _e2e76c4399ea9f89c2709862b3887503 

Raymond Tangka  https//fbcdn-profile-a akamaihd.net/hprofile-ak-xpt1/v/t1.0-1/ 7/1/2015 2:44:33 PMUTC+0) |1 10/25/2015 12:52:35 PM(UTC+0) 
p80x80/12108909 1046908495333394_3583408431895011705_njpg? 


ap Street || ap, Street2 | | 4, HouseNumber 3, Ciy | p, State | p, County || sp, PostalCode | 3, POBox || «p, Neighborhood 


ae Category 


Preview max results: | 10 


Name Convert x ||| Entries- Category Convert x Crested Edit x Times contacted * || Last time contacted Edit x 


oh=f29fd45e1f35058ed33da692f370c7c&oe=56C2F841&_gda_=14515 
97967 _684aa190da7815c485dd6fe18ae28f4d 

Juliana Mendoza https://fbcdn-profile-a akamaihd.net/hprofile-ak-xaf1/v/t1.0-1/ 10/7/2015 7:0932 AM(UTC+0) 1 10/25/2015 12:52:35 PM(UTC+0) 
p80x80/12009585_1494281380865766_1124300327356752592_n jpg? 
oh=3264bd4f15eba81682bec488la94fd5a8ioe=568932F6&_gda_=145 
5748731 _92fd98443a0deb94f7 fOc5fa5db2e6e4 


Field Type Description 


Name of the contact. If the Name field is left blank, the entry is not listed 


Name Text : f 

in the address book of the device. 
Notes Text Additional user-created notes added to the user's contact entry. 
Group Text Refers to a group's contact details that can be stored on the device. 


The type of contact. E.g., Unknown, Follower, Following, 
Contact Type Enumeration FollowingAndFollower, Spam, Blocked, Starred, PendingRequest, 
Favorite, Suggested, Group, and ChatParticipant. 


Last time ; ; ; ; 
Date Date and timestamp converted from UTC (Universal Time Coordinated]. 
contacted 
Created Date A stored log on the device of when the contact was created. 
Modified Date A stored log on the device of when the contact was modified. 
Times contacted Number A stored log on the device for the number of times contacted. 
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Entries 

Category Text Any category information e.g., Fax, Work, Email, URL 
Value Text Value for the Category. 

Addresses 

Street! Text 

Street2 Text 

House Number Number 

City Tex 

State Tex 

Country Tex Location or address information of the contact entry. 
Postal Code Tex 

PO Box Tex 

Neighborhood Tex 

Category Tex 


Organizations 


Name Text Name of the organization or business. 
Position Text The contact’s position or title. 
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11.5.2.1.2. Instant Messages 


Select an existing UFED Physical Analyzer or generic model 


Instant Messages 
Drag field types to the columns you want to map in the table below 


of Sat age Times kra 


A) From 


ap Name 2, addresses | 4, Delivered 


D To 
V) Attachment 
V) Position 


V) SharedContacts 


Preview max results: | 10 


Instant Message 


Source Application: Twitter 

Subject 

Timestamp: 

Status: 

Delivered: 7/4/2002 10:24:08 PM 
(uTC+0) 

Extraction: Physical 

Manually decoded: True 

Source file: userdata (ExtX)/Roo! 
datas 
comitwitterandroid/ 
databases/2617137605- 
43.db + 0x0 (Size: 
1445888 bytes) 


From 


From: 21133007 


author id 


From - Identifier Conver: x 


| -1223920318 


18863815 
-1283980318 


-1283980318 


-1283980318 


-1283080218 


content 
Body Convert x 


TIND olny OWN! OTR WATIN nD AINN Ty JR NID ONON NIIN ONIY EY 12 
nnn nonn Ty poaa yan. 


Tonights live stream for TIDAL & KROQ has been postponed out of respect for the terrible 
events in Paris, https://tco/YhyyrpjRVc A 

nua ww nywa own YAW ININA TA P NIDN NYAN SOW NIDI NNW NOPY 
oenwa DTV ONNI Own.OANDA 

un a2 piw ANN TY Dwa JONAN oiny DNT 6390P wD 3A |SdINN 210 7B 
om, 

OTT Ton 99a, AM FONN TY OWA WAD NYAN ONIY AINA wD, 

Ann wo! 


1397 mann 5523 2a!Nn AONO TW AWA AINAN DINY ANA wD, 


created 
Delivered Edit x 


11/5/2008 7:34:08 AM(UTC+0) 


1/29/2003 6:54:08 PM(UTC+0) 
9/26/2006 10:10:48 AM(UTC+0) 


9/17/2008 3:0048 AM(UTC+0) 


8/21/2007 9:10:48 AM(UTC+0) 


6/28/2007 7:40:48 AM(UTC+0) 


place data 
Map Address Convert x 


Jj2edb6e240797c549jCOUNTRYXB" ^ 
(@AEXEM@=",0h 
(@AVF+ XU@O@xey-,c(@Ay.F= XDE 


Jj2edb6e240797c549jCOUNTRYXB"' 
(@AEXEM@=",0h 

(GAD + XO Oxay», (OAV, (OC 
2edo6e240797¢549]COUNTRYXB™ 
(OAE EX 

(@AvF+ XC 

Tj2edb5e240707c" 


To 


Attachment 


E 


SharedContacts 


nman wo! 


< 


Field 


Subject Text 


Body Text 
Timestamp Date 
Read Date 
Delivered Date 


Map Address Text 


Status 


Enumeration 
Label Enumeration 
Platform Enumeration 
Message Type Enumeration 


SMSC Text 


(@AEXEM@=",0h 
(@AVF+ XO Oxay», (OAY f+ XO y 


> 


Description 


The user created subject line of an entry. Applicable for social media 


chats that describe a name or subject of a group. 

The body of the message. 

A network timestamp which may be recovered for a message. 
Date the message was read. 

Date the message was received. 

The street address, city, and state associated with the message. 


Status of the message as marked in the device (Sent, Unsent, Read, 


Unknown). 


The label applied to the message (Default, Star, Liked, Disliked). 


The platform used for the message (Unknown, PC, Mobile]. 


Differentiates between the different types of Messages: App message, 
SMS, MMS etc. 


For SMS messages, the short message service center (SMSC) that 


handled the message. 
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Folder 
Priority 
From 


Identifier 


Status 


Name 

IP addresses 
Delivered 
Date read 
To 


Identifier 


Status 


Name 

IP addresses 
Delivered 
Date read 
Attachment 


Filename 


Contact type 


Charset 
URL 


Title 


Chapter 11: 


Text 


Enumeration 


Text 


Enumeration 


Text 


Text 


Enumeration 


Text 


Text 


Text 


Text 


Text 


Text 


The folder that contains the message. 


The priority of the message. 


The unique ID for the party. e.g., email address, GUID, nickname etc. 


Status of the message as marked in the device (Sent, Unsent, Read, 


Unknown] 
Name of the party. 
P address of the device. 


Date the SMS was received. 


Date the message was read. 


The unique ID for the party. e.g., email address, GUID, nickname etc. 


Status of the message as marked in the device (Sent, Unsent, Read, 


Unknown]. 
Name of the party. 
P address of the device. 


Date the message was received. 


Date the message was read. 


The name of the attachment. 


The type of contact. Unknown, Follower, Following, 
FollowingAndFollower, Spam, Blocked, Starred, PendingRequest, 
Favorite, Suggested, Group, and ChatParticipant. 


Character set encoding. 
A URL string associated with the attachment. 


Title text for the attachment. 
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Position 


Longitude 
Latitude 
Elevation 
Comment 
Shared Contacts 
Name 

Notes 


Group 


Contact type 


Created 
Modified 


Times contacted 


Number 


Number 


Number 


Text 


Text 


Text 


Text 


Enumeration 


Date 


Date 


Number 


Coordinate of the message in longitude. 
Coordinate of the message in latitude. 
Elevation data. 


Any comment text added to the location. 


Name of the contact that was sent. 
Any notes added to the sent contact. 
Group information [if the contact was sent to a group). 


The type of contact. Unknown, Follower, Following, 


FollowingAndFollower, Spam, Blocked, Starred, PendingRequest, 


Favorite, Suggested, Group, and ChatParticipant. 
A stored log on the device of when the contact was created. 
A stored log on the device of when the contact was modified. 


A stored log on the device for the number of times contacted. 
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11.5.2.1.3. Generic model 


Select an existing UFED Physical Analyzer or generic model Geers o5) 


Carat need 
Field 1: 2394020-29c1-4805-3b87- 

Drag field types to the columns you want to map in the table below 220a2fc1b2f1 
Field 2: da1decac-2847-4fd0-9e8a- 

ap Feds | ap Fed6 | g, Fed? g, Field8 || q, Felda | |g, Field10 || 4, Timestamp 3 ae eee 
Tes re in rea re ae ield 3: "o Do for 24/06/2014 

Field 4: 333 

Field 5: 

Field 6: 

Field 7: 

Field 8: 

Field 9: 


Preview max results: | 10 


guid notebook guid tite content length created updated 


Field 1 Convert x Field 2 Convert x Field 3 Convert x || Field4 Convert x | Timestamp Edit » Timestamp 2 Edit x Field 10: 
Timestamp 1: 6/23/2014 9:22:59 AM(UTC 
+) 


a )) 
I o aoar 
+0) 


9d1a180c-2421-4fc0-91b9-c58b28678043 daldecac-2847-4fd0-9e8a-aea98c113af7 Note @ Petah Tia 256 6/23/2014 9:35:15 AM(UTC+0] 6/23/2014 939:41 AM(UTC+ 
Timestamp 3: 
Extraction: Physical 
&b481749-s4e0-4419-a985-fa76b2f56fa8  daldecac-2847-4fd0-9e8a-aea98c113af7 Note @ Petah Tiva 245 9/29/2014 1:2530 PM(UTC+0) | 9/29/2014 1:2630 PM(UTC+ Manually decoded: True 
Source: Evernote 


€5960092-3abc-43af-8235-24f5fe513fba  daldecac-2847-4fd0-e8a-ae+98c113a7 Note @ Petah Tikva 256 9/7/2014 7:2457 AM(UTC+0) 9/7/2014 7:24:57 AM(UTC+C 


1291db03-5754-4e2c-Sb7a-ac1322699dbe daldecac-2847-Afd0-QeBa-aeaBcli3af? Note @ Petah Tikva 247 10/30/2014 6:18:46 AM(UTC+0) 10/30/2014 6:18:46 AM(UTC crm ‘asain gS 


media/O/Android/data/ 
bb38253d-b3df-4ad2-949f-fcf4422e390b  daldecac-2847-4fd0-eBa-ae398c113af7 Snapshot @ Petah Tikva 309 11/26/2014 9:43:37 AM(UTC+0) | 11/26/20149:43:37 AM(UTC krenen E r 


vser-75112939/esternal-140 
cBlebeb4-4241-4521-8f61-62b37cd3e367 daldecac-2847-4fd0-9e8a-aea98c113af7 Picture @ Petah Tiva 323 11/26/2014 9:45:23 AM(UTC+0) 11/26/2014 9:45:23 AM(UTC 3515173387 -Everrotedb 


(030 (Size: 491520 bytes) 
Ta3eaeße-5ff4-441d-952c-6fc329f7796a  daldecac-2847-4fd0-SeBa-ses98cli3af7 Picture @ Petah Tiva 323 11/26/2014 9:45:23 AM(UTC+0) | 11/26/20149:45:23 AM(UTC 
|| 4573b409-32f1-463d-80a5-92acb455a6ab daldecac-2847-4fd0-9eBa-aea98c113af7 Note @ Petah Tikva 322 1/22/2015 3:03:28 PM(UTC+0) 1/22/2015 303:28 PM(UTC+ 


2987a977-989d-494c-86f4-9964fb1df699  daldecac-2847-4fd0-9e8a-aea98c113af7 Snapshot @ Petah Tikva 309 1/22/2015 3:0428 PM(UTC+0) | 1/22/2015 304.28 PM(UTC+ ¥ 
< > 


Previous 


11.5.2.2. Advanced options 


Advanced options include renaming, sorting, linking, and grouping capabilities. 


Visible Expression Column Name Sort Type Sort Order Aggregate [F] Grouping Criteria for 

w| | contacts.contact_id 1D Ascending 1 v For groups 
E |contacts.first_name First Name ji | e For values 
v | contacts.display_name | Display Name | Ascending v | For values 

4 |contacts.small |_picture_url URL [Ascending v |For groups 


The following advanced options are available: 


Option Description 


Visible Select whether the field is displayed or not. 

Expression Select the field to display or click the Expression button. 
Column Name | Enter a name for the column. 

Sort Type Select a sort type: Descending or Ascending. 

Sort Order Enter the sort order for the field. 

Aggregate Select an aggregation option. 

Grouping Select if this field should be grouped. 


Criteria for Select a criterion: values or groups. 
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To open the Expression Editor: 


Visible Expression 


sms.date_sent 


sms.body 


1. Click the button next to the Expression [ 
select Expression Editor. The following window appears. 


Query Obes 


> [E| sms 
> E| sms 


Secces 
(le) 


abs 

avg 
changes 
coalesce 
count 


a es 


Show left pane 

Always show scroll bars in editor 

Auto indent 

Auto-nsert closing parentheses and quotes 
Close Expression Editor on Escape button press 
Code completion 


HOSEOSBSB8AB8 


Word wrap 


Highlight matching parentheses | Highlight With Color z 


Text editor font 


Tab size 
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3. Make the required changes. 
4. Click OK. 
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11.5.3. Mapping data 


Select one of the existing data models [e.g., Chats, Contacts, Call logs, Instant messages 
etc.) or a generic model, and drag the field types to the correct columns. Some columns 


have special formatting options [see SQLite option windows [on the next page)). 


To map the data: 


1. Select an existing Physical Analyzer or generic model. If the fields match an existing 
Physical Analyzer model, then you should use that model. New records that are found by 
the SQLite script will be included in the selected model under Analyzed Data. If you cannot 
find a matching model use the default generic model. The Generic model is indicated as a 
separate model under Analyzed Data. 

2. Drag the field types to the correct columns. You can drag more than one field type to a 
column to map multiple fields. Click Edit to edit the mapping. Click Convert to map new 
values. Some columns have special formatting options, enabling you to convert enum, 
lookup, XML/PLIST/JSON, and timestamp formats (see SQLite option windows [on the 


next page)). 


In the Preview area, mouse over the fields to see the original value of 
the field. An example is displayed next. 


Friends 


Original: 
Close Friends 


3. Click Next. The following window appears. 


Manage queries 


Project | @ Samsung GSM_GT-i9205 Samsung G: Duplicate Import Export 


Status New records Name Model type Autorun Include deleted Databases 
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11.5.3.1. SQLite option windows 


Some models have columns with special formatting options, enabling you to convert enum, 
lookup, timestamp and XML/PLIST/JSON formats and help you map the relevant fields and 
columns. 


11.5.3.1.1. Enum 


Select the values to map to the unique values on the right. An example is shown next. 


Map the values below to the unique values on the right Remaining values to map: 
Unknown: P 
Sent: F 
Unsent: 
Read: 


Unread: 
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11.5.3.1.2. Conditions 


In cases where the interpretation of a field is based on another field's value, you can map 


that data using the conditions function. For example, an SMS participants table in an SQLite 


database contains SMS information. In several cases, the same column will contain both 
From and To values for the SMS message. You can create a new condition to distinguish 
between the two different field values. An example is shown next. 


Create conditions for one or more columns 


Add 


Field10 = small_picture_size 


When first_name Equal 
Or display_name 
Or last_name 
And 
And 


Original values will be used 


Name 
Equal 
Equal 
first_name 


contact_id 


Name 
Name 
Contain 


Equal 


Name 


Name 


Cancel 


Use the Add link to add additional conditions with an “or” between them by default. Use the 
selection arrows to move the conditions. Moving a condition to the right will create a group 


with an “and” relationship between the conditions. Click Save to save the condition. 
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11.5.3.1.3. Lookup 


Use a lookup window to add new values which can then be mapped to the unique values on 
the right. The number of look up records is partial i.e., it may not include all records. You can 
manually add additional values if required. 


— 


Add new values, then map the values below to the unique values on the right Remaining values to map: 


true 


Add new Item 
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11.5.3.1.4. Timestamp 


Use the suggested timestamp global format or select one of the other available options. You 
can also manually add additional options. An example is shown next. 


Select a timestamp global format 


© 11/10/2015 3:17:55 PM 
Milliseconds from UTC 1970 (Suggested) 


11/10/1646 3:17:55 PM 


Milliseconds from UTC 1601 
1/17/1601 5:59:28 PM 
Microsecond from UTC 1601 


Custom format Preview 
N/A 


The Custom format can be used for timestamps that are in text format. Enter the required 
format and click OK. Some custom format examples are displayed next. 


M-d-yy h:mm tt 02-14-19 9:19:00 AM 
M/d/yyyy h:mm tt 5/1/2009 6:32 PM 
M/d/yyyy h:mm:ss 2019/07/12 08:22:48 PM 
MM/dd/yyyy hh:mm:ss 5/1/2009 6:32:00 
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11.5.3.1.5. XML/PLIST/JSON 


Ifa field includes XML, PLIST or JSON, the following window appears after you drag a field to 
the required column. Select the fields to map and click OK. After mapping the field, click the 
Edit link to make additional changes, click Converter to map new values, or click the Preview 


button () to preview the code. An example is shown next. 


Select field 


4 <QueryModelMappingltem xmins:xsd=" http://www.w3.org/2001/XMLSchema ~ xmIns:xsi="_http://www.w3.org/2001/XMLSchema-instance |"> 


4 <Idmore=" 123 "> 


2a9e535f-7556-43ed-98f7-9ac29380d267 


</id> 
a <Name> 
NewMapping1 


</Name> 
a <Data> 


dusfqius 
</Data> 
a <Version> 
1 


</Version> 
a <AutoRun> 
true 
</AutoRun> 
a <OsType> 
los 
</OsType> 
a <Locations> 
a <string> 
accounts.db 
</string> 
4 <string> 
accounts2.db 
</string> 
</Locations> 
</QueryModelMappingltem> 


OK Cancel 


Fields with a blue border indicate that the fields can be mapped. 
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11.5.4. Running the created query 


New records added by means of a manual query are indicated in the Manage queries 


window. For information on how to manage queries, see Managing queries (on the next 
page). 


To manually run a query: 
Select the project (if you have more than one project open). 
In the table, select the required query that you want to run. 


1 
2: 
3. Click Run. 
4. A message appears asking you to confirm that you want to run the mapping. Click Yes. 


Running a query with more than 200,000 results will significantly increase 


the processing time and may cause the system to stop responding. 


5. New records are indicated under the model in the Manually decoded column. An example 


is displayed next. 
(o) Facebook (716) 
= i - P % Export * x | Table Search 


oo 

i 
“aS 
iji 
ooo 
KKI 


v | Source bá 2 Source file information 
Facebook contacts db2 : 0x3679E 
Facebook A contacts db2 : 0x0 
Facebook A contacts db2 : 0x0 
Facebook contacts db2 : 0x25A2E 
Facebook A contacts db2 : 0x0 
Facebook A contacts db2 : 0x0 
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11.5.5. Managing queries 


All queries are managed in the SQLite query manager, where you can select to auto-run the 


query as part of the automatic decoding process [see Running queries automatically (on the 
facing page] and save a query for future use. 


With the SQLite query manager, you can also: 


» Add, edit and delete queries. 
» Run queries on demand and remove records If required. 
» View the number of new records per query. 


» Share the queries with colleagues using the Export and Import features. 


To open the SQLite query manager: 


» Click Tools > Database query builder > Open SQLite query manager. The following window 
appears. 


Manage queries 


Project | @ Samsung GSM_GT-i9205 Samsung G: Duplicate Import Export 


Status New records | T Name Model type Autorun Include deleted Databases 


50 Facebook Q1 Contacts v contacts_db2 7 


Remove new records 


The following table explains all the actions and options available in this window: 


Set Physical Analyzer to run the query 


Auto run Check box 
automatically. 
Databases Column Display the name of the database. 
Delete Button Delete queries. 
Duplicate Button Duplicate an existing query. 
Edit Button Edit or add additional names for a database. 
Export a query, which can then be imported and 
Export Button 
used by other users. 
Import Button Import a query that was created by another user. 
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Include 
deleted 


Model type 


Name 


New 
records 


Project 


Remap 


Remove 
new records 


Run 


Save 


Running queries automatically 


Column 


Column 


Column 


Column 


menu 


Button 


Button 


Button 


Button 


Display if this query includes deleted data. This 


option is read-only and cannot be changed. 
Display the Physical Analyzer model type. 


Display the name of the SQLite query. 


Display the number of new records that were 
ound after running a query. "No results” indicates 


hat the database is not found or there are no 
records in the database. 


Select the project on which the query should be 


run (If you have more than one open project). 
Remap or change the query. 


Remove [rollback] the new records that were found 


after running the query. 
Run a Selected query. 


Save any changes that were made. 


You can select to auto-run a query as part of automatic decoding process. 


To run a query automatically: 


1. Select the Auto run check box. 


2. If required, modify the database location using the Edit button. 
3. Click Save. 
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11.6. Fuzzy models 


The Fuzzy model plugin enables you to add valuable data from new databases. It identifies 
new data sources, handles and parses unknown databases and numerous applications 
databases. Information is automatically analyzed using a heuristic process and a unique set 
of rules. The Fuzzy model plugin is useful when the use of an application is known and has 


not been automatically parsed. 
The Fuzzy model plugin scans and analyzes all databases and all tables within the 
databases, and automatically maps the records into a known models [e.g., email, IM, events, 


call logs etc.). 
The following fuzzy models are available: 


» Fuzzy events: View extracted events such as messages, call logs etc. 
» Fuzzy objects: View extracted data from any database which has not decoded by Physical 
Analyzer’s parsers. This model holds information regarding a certain artifact such as 


contact, account etc. 


To run the Fuzzy model plugin: 


1. Wait for the decoding process to complete. 
2. Select Tools > Run Fuzzy model plugin. This will be initiated on the active project only. The 
Fuzzy models are indicated as separate models under Analyzed Data. 
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+ 
G) File View Tools Cloud Extrac 


m 
“T 


A « 


Samsung GSM_GT-i9506 Gal... 7 


as 


© 


Analyzed Data 


Application (420) (5) 
Calendar (65) (17) 
Calls (461) (22) 
Contacts (1308) (206) 


Devices & Networks (717) 


Device Events (50) 


Wireless Networks (667) 

Location Related (4011) (15) 

Device Locations (4002) (15) 
@ Maps (9) 

Manual Data Collection (16559) 


> § Fuzzy events (11323) 


> & Fuzzy objects (5236) 


3. Open both the Fuzzy events and Fuzzy objects models, and review the parsing results. For 


each of these models, you can see the list of results presented in a table and database 


format, which displays the contents of database files that were found in the extraction. An 
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example is displayed next. 


@ Fuzzy events (80) x 
(2) Fuzzy events (80) 
R- D- + DEH] sort- y Table Search a| Fuzzy event aoe 
OB mw =v # SB XK Timestamp 7 Title + | To Y Fram Rody ¥ Additional contact details Gealocation ae nae 
Source file userdata (ExtXV/Root/ 
data/ 
comaandroid providers 
contacts/databases/ 
profledb-wal 
x50CF3 (Table: 
raw contacts, Size 
o creation time 7/17.. send to_voicemail 0 470584 bytes) 
Title 
To 
10 ‘expiration timestamp_sec ‘all t0_action final url delete local Ta 
insert.timestamp_seconds call to.action_url ho. ~ eee 
< > 
Total: 80 Deduplication: 0 tems: 80/80 Selected: 3 Fom 
BR Q 
Body 
sync state 10) ^ 
apni ata A (1) id = isrestricted ~ account_id = sourceid = raw.contact is readonly ~ version ~ dirty ~ deleted ~ cont 
scams x D Í '9.22337203470729E+18 |0 i o 2 1 o 9.223 Additional contact dete 
agg_exceptions = 
paipai i) '9.22337203470729E-18 0 1 o 2 i o ZE E 
android metadata (1) '9.22337203470729E+18 0 1 o 2 1 o Badli e EE 
calls (0) contact id 92233720347.. 
contacts a) display name Jon Kay1968 
data B) display_name alt Kay196.. 
data_usage_stat (0) display_rame_source 40 
default_directory (1) 
deleted_contacts (0) 
dialer_keypad_lookup (3) 
directories (0) GeoLocation 
emergency (0) 
groups (4) = 
kids Oy lee >| All timestamps & 
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11.7. Generating dictionary files 


Create dictionary files based on all the numeric and alphanumeric strings found in the 
project. Three types of files are created: 4-digit [numeric], 6-digit [numeric] and a full list of 
all strings {alphanumeric of length 1 and above]. These files can be useful for bruteforce 
methods to access other devices, accounts, files, or even computers that belong to the same 


person. 


To generate the word lists: 


iP 


Select Tools > Generate dictionary files. The following window appears. 


Generate dictionary files - o x 


Create dictionary files based on all the numeric and alphanumeric strings found in the project. 

Three types of files are created: 4-digit (numeric), 6-digit (numeric) and a full list of all strings (alphanumeric of length 1 and above). 

These files can be useful for brute force methods to access other devices, accounts, files, or even computers that belong to the same person. 
Select projects: @ WirelessandModels 

Your dictionary files will be saved here: 

\pt nC\Document ts Change 


Use as the default location for all dictionary files 


Select the required project. 

Click Change to change the default location where the text files will be saved. 

Select the Use as default location for all dictionary files to change the default location. 
The default location is specified under Settings > General Settings. See General settings 


lon page 421). 
Click Generate. The dictionaries are created and the following notification is displayed. 


Three dictionary files were created © 


All files were saved to the specified 
location. 


Show in folder 


6. Click Show in folder in the notification to access the word lists. An example is displayed 


next. 
Name Date modified Type Size 
B 4digits.txt 7/1/2019 2:22 PM Text Document 1 KB 
B 6digits.txt 7/1/2019 2:22 PM Text Document 1KB 
B all.toet 7/1/2019 2:22 PM Text Document 166 KB 
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11.8. Working with TomTom 


TomTom generates trip log files that are encrypted by the device only if TomTom users 
select to share their location information with TomTom. TomTom registers the device 
location in the trip log files. Export the TomTom XML file generated from the trip logs, and 
send it to Cellebrite for processing. Once returned, you can view most of the location 
information available in the file using Physical Analyzer. 


For more information on extracting data from a TomTom device, see Reading data from a 
GPS or mass storage device (on page 278). 


For more information on geolocations, see Device locations (on page 170). 


Not all the information contained in the TomTom extraction file is 
retrievable. 


The processing service can take up to a few days, depending on the 
volume of data and requests. The service is currently free of charge, but 


this may be subject to change. 


You must open the TomTom extraction in Physical Analyzer before 
exporting or importing the XML file. 


11.8.1. Exporting a TomTom file 


1. Open an extraction from a TomTom device. 


2. Inthe Tools menu, select TomTom > Export. 


Click "Export" to export the required file for decrypting the TomTom trip logs. 
For additional processing, you need to send the file to: support@cellebrite.com 


Copy 
Save to: oa 


Cancel 


3. Browse to the location where you want to save the exported TomTom extraction file, and 


click Save. 


The TomTom extraction file is saved as a GPS.TomTomExport.xml file. 
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The file does not contain personal user information such as locations. 


4. Send the GPS.TomTomExport.xml file to: support(dcellebrite.com. For US customers: 
support(dcellebriteusa.com. 


The GPS.TomTomExport.xml file is processed by Cellebrite support. Your request enters a 
queue at Cellebrite support. Processing of the TomTom extraction file may take a few 
days. 


11.8.2. Importing a TomTom file 


Once Cellebrite support has returned your processed TomTom XML file, import the file to 
Physical Analyzer. 


1. Open the TomTom extraction for which you have the *.xml file. 


2. In the Tools menu, select TomTom > Import. 


Click "Import" to decrypt the TomTom trip logs. 


Save to: C:\Dumps\TomTomStuff\export-decrypted.xml 


Import | 


3. Click laa and browse to the location of the returned TomTom extraction *.xml file, and 
click Open. 
4. Click Import. 


The TomTom *.xml file is imported to Physical Analyzer. The Locations tree item is 
populated. 


5. Double-click Locations to open the tree item in a data tab. 


The tab shows the device's location at every three seconds with a time and date stamp 
and geographical coordinates. 


Not all the information contained in the TomTom extraction file is 


retrievable. 
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11.9. Opening an encrypted extraction 


To open an encrypted extraction or application, you need to enter the password. If you do not 
know the password, you can load passwords from a text file [dictionary]. 


The following encrypted extractions or applications are supported: 


» BlackBerry encrypted content 
» BlackBerry Password Keeper 
» Apple encrypted iTunes backup 
» Android encrypted ADB backup 
» Android encrypted memory 

» TextSecure 


To open an encrypted extraction: 


1. Open the extraction in Physical Analyzer. Figure 1 shows an Android encrypted ADB 
backup and Figure 2 shows an Apple encrypted iTunes backup. 


Android user data encryption xj 


The extraction or application is encrypted. To continue with the decoding process, enter 
the password and click OK. 


If you do not know the password, click “Load from file” to load passwords from a text 
file (dictionary). The file must include a list of passwords, with each password on a 
separate line. 

Note: This process runs locally on your computer, and may take some time to 
complete. 


—— 
Load from file OK | Cancel | 


Figure 1 : Android user data encrypted 
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‘iTunes backup encryption 


The extraction is encrypted. To continue with the decoding process, enter the 
iTunes backup encryption password and click OK. 


If you do not know the iTunes backup encryption password, click "Load from 
file" to load passwords from a text file (dictionary). The file must include a list of 
passwords, with each password on a separate line. This process runs locally on 
your computer, and may take some time to complete. 


Notes: 
1. The iTunes backup encryption password is required here to access encrypted 
backups, and is different from the iPhone device PIN code. 


2. If the iTunes backup encryption password is not available, approach Cellebrite 
Services for a possible encryption bypass solution. 


Load from file é 


Figure 2 : iTunes backup encryption password 


2. Enter the password in the space provided. 


The iTunes backup encryption password is required here to access 
encrypted backups, and is different from the iPhone device PIN code. 
Physical Analyzer sets the password to 1234 during the extraction 
process. 


If the iTunes backup encryption password is not available, contact 
Cellebrite Services for a possible encryption bypass solution. 


For BlackBerry encrypted content, you need to enter the password that 
matches the displayed SHA-1 hash. 


-Or- 


Click Load from file to load a list of passwords from a text file (dictionary). The file must 
include a list of passwords, with each password on a Separate line. 


3. Click OK. 
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11.10. Opening an encrypted zip file 


Physical Analyzer can open encrypted zip files created by Cellebrite Responder. The zip file 
can contain HTML, PDF and UFDR report files. Only the UFDR file can be opened. To open an 
encrypted zip file, you need to enter the password. 


To open an encrypted zip file: 


1. Open the extraction in Physical Analyzer. The following window appears. 


The extraction zip file contains the following reports: 
report.html 

report.pdf 

report.ufdr 


The reports will be saved to the My Reports folder: 


\\ptnas1\Home Dirs\jonathank\Documents\My Reports 


E] Open the report.ufdr. Note: This process takes time to complete. 


| Continue 


The window indicates where the report files will be saved. 


2. To open the report.ufdr file, select the Open the report.ufdr check box. 
3. Click Continue to save the report files to the location indicated. The following window 
appears. 


The file is password encrypted. Enter the password to open ther file. 


You can change the location under Settings > Report Defaults > Default 
folder. 


4. Click OK. 
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11.11. Extraction and decryption of BlackBerry backup files 


You can decrypt the backup file from BlackBerry 10 devices. This feature is part of the file 
system extraction. Use Physical Analyzer to retrieve the BlackBerry backup key and decrypt 
the backup data. 


To retrieve a key with an Internet connection: 


1. Opena file system extraction of a BlackBerry 10 device. During the decoding process, the 
following window appears: 


The Blackberry10 backup extraction is encrypted. Decryption and decoding in UFED 
Physical requires a decryption key. Enter the Blackberry ID credentials to retrieve the 
backup key. An Internet connection is required. 


If you are working offline, retrieve a key from any UFED Physical connected to the 
Internet, as follows: 

1. Tools menu > Retrieve BlackBerry 10 backup key 

2. Save the key 

3. Load it via the Load button andcontinue the decoding process on your computer. 


Username: 


Password: 


2. Enter the BlackBerry ID credentials and click Get backup key. 
3. To save the key for future use, click the Save button. 


To retrieve a key without an Internet connection: 

1. If an Internet connection is not available, you can retrieve a key on any instance of Physical 
Analyzer connected to the Internet. Go to Tools and select Retrieve BlackBerry 10 backup 
key. 

2. Enter the BlackBerry ID credentials and click Get backup key. 

3. Click Save and load the key on the Physical Analyzer not connected to the network to 
continue with the decoding process. 
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11.12. WhatsApp decryption on BlackBerry databases 


This section provides information when the WhatsApp databases on OS 7 BlackBerry devices 
cannot be decrypted, because one of the keys which is essential to the decryption process is 
missing. In this case, the key can be recovered using the following procedure. 


To decrypt WhatsApp on BlackBerry databases [OS 7): 


1. If you run the physical extraction, you will receive a message that the WhatsApp databases 
cannot be decrypted. You will be able to see messageStore.db files in the file system, but 
they are encrypted. 


Encrypted content 


The content of this extraction is encrypted with hardware encryption. 
UFED Physical Analyzer could not decrypt the content protection keys. 
The following content may be missing or encrypted: 
1. Whatsapp database. 
Refer to the Help for information on how to decrypt the databases 
using the BlackBerry backup (BBB) file. 
2. RMF files. 


2. Create a BBB file (BlackBerry backup file] using the BlackBerry software installed on a 


PC; 
3. Click Open (advanced) to load the BBB file into Physical Analyzer. The following window 
appears. 
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Open (Advanced) 
Start a new project while customizing the decoding process. 


Select a UFED extraction 


If you've used a UFED unit to extract data from your device, select the 
UFD file in the extraction folder. 


(G Select a UFED extraction 


Start without a UFD file 


Use this option in case another method was used to extract the data 
(e.g., a chip-off or a different tool). 


= 


Device Selection 
Select the device for your input data. 


Select Device 


Select BlackBerry on the left or search for BlackBerry in the quick filter search. 
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Device Selection 
Select the device for your input data. 


Select Device | BlackBerry 


Decoding method selection 
Select the decoding method for your input data 


Select Decoding method - (BB_BACKUP_BBB) 


es | 
Legacy - BlackBerryBackup 


7. Click Next. The following window appears. 
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Advanced Customization 
Customize the current chain and add dumps and file systems. 


Ü Switch Device 


Device H Seve uro 


BlackBerry bbb file (Backup) 


Selected Chain W Switch Chain gF Customize Chain 


| â BlackBerryBackup Decodes BlackBerry backup extractions 


Binary Dumps © Add Binary Dump 


BackupFile 
es Je 


File System Dumps 
Add file systems (in a fold 


jer 


(+) Archive File (Zip, Tar) 
Select File 


8. Click BackupFile. A browser window appears. 
9. Click Open to load the *.bbb file. 


10. Click Finish. Some of the WhatsApp files are already automatically decoded. 
11. In the search box type SQLite Keys/1 and open the file in the Hex View. The following 


window appears. 


Path: /SQLite Keys/1 Size: 19 bytes 


Extraction Summary (1) * 


Hex View File Info 


JamE 


10 00 00 71 CE 20 1A A2 BD 6E 1A 52 A9 7A F7 58 31 2A 21 


Highlights 


aa a a Find ii 
# Offset Length 


Ki! 


Values Tags Highlights 
— 


Length: 043 | Offset: 0x0 |Selection: 0x0 


12. Click lal to save the file. The file should be 19 bytes long. 


13. Run the physical extraction and load the saved "1" file in the WhatsApp decryption key 
window. This window appears after the Encrypted content window. 
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WhatsApp data is encrypted. Load the decryption key and click OK. 


C:\Users\jonathank\Desktop\Bugs\BBB\1 [toad ] 


14. Click OK. Chats from the decrypted WhatsApp databases should now be available. 
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11.13. Exporting an account package from Physical Analyzer 


Export an account package to extract cloud accounts using tokens. 


This step is only necessary if UFED Cloud is installed a separate machine 


than Physical Analyzer. 


To export an account package: 


1. Open an extraction in Physical Analyzer. 


2. Select Tools > Export account package. 


@& Export account package Ctrl+E 


% Watch List Editor 


% Run Watch Lists On Active Project d 
© Malware Scanner r 
Translation 


The Save As window appears. 


3. Click Save to save the Export file (*.ucae] file. The following window appears. 


User accounts extraction summary 


Data source Account name 


Kik profrobert1962@ gmail.com 

Gmail profrobbert1962@ gmail.com 

GoogleLocationHistory profrobbert1962@ gmail.com 

GoogleDrive profrobbert1962@ gmail.com 

Facebook CAAAAAYsX7TsBALN7m59mXahwPSfPDDF4sX6HSITcClhz2jpBceKudZ... 


Save Close 


4. Click Save to save a text file summary of the extracted user accounts, or click Close to 
complete the process. [The summary may be useful when preparing search warrants, or 
to share with other investigators.) 


Multiple entries for the same data source may relate to different 
accounts that were used on the device, or to previous login information 


for the same account. 
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11.14. Media classification 


Physical Analyzer’s Media classification feature allows you to classify images and videos 
based on categories that are relevant to the case. 


When this feature is enabled, machine learning algorithms will automatically scan and 
classify all images and videos In your case to the following categories: 


» Flags 
6 i »> Food 
enera 
»> Jewelry 


»> Maps 


>> Credit cards 


Mone 
y »> Money [cash] 


»> Faces 

»> Gatherings 
People »> Hand hold object 

»> Nudity 

»> Tattoos 


>» Beach 

>> Hotel rooms 
Places 

»> Pool 


>> Restaurant 


»> Cigarettes 
Substance 
Drugs 


»> Camera 
Tech 
»> Smartphones 


>> Barcodes and QR codes 
>> Documents 
»> Handwriting 
Textual 
>> Invoices 
>> Photo IDs 


>> Screenshots 
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»> Cars 


» License plates 
Transportation 
»> Motorcycles 


>> Vehicle dashboards 


»> Fire and explosion 


Violence 
>> Upskirt 


Suspected CSA (Child Sexual Abuse] 


Media Classification is CPU-based and requires additional processing 
time, so a newer CPU (generation 6 and higher) is required. If your CPU is 


not compatible with our Media classification engine, you can still use it, 
but processing time will take much longer. 


11.14.1. Running Media classification 


You can select to run Media classification in the Examination tools step of the Case wizard. 
See Examination tools [on page 69). 


Specify which type of media classification and which specific categories to run on the case. 


Running Media classification requires additional processing time. 


To run Media classification after project has already loaded see Running 
Media classification on demand (on page 352). 
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1. In the Case wizard, under Enrichment engines, select Media classification. 


Case wizard [=] 


Open case Help Examination tools 
Apply examination tools & Enrichment engines 


Load evidence Examination tools 


Examination tools 
Y Selective apps decoding C 


Select apps to decode to speed up 
examination process and view only 
relevant data. 

App selection will be presented within 
few minutes. 


Enrichment engines 


E Media classification 


Classify images and videos based on 
categories relevant to the case. 


* Additional processing time is required 
for non-native categories. 


Select categories 


Back Examine data 


2. Click Select categories. The following window appears: 


Select media 


Image & Video Image Video 


* Note: Video classification requires a longer processing time than image classification. 


Select categories 
& Select All 
General Money People Places Substance 
Flags Credit cards Faces Beach Cigarettes 
Food Money Gatherings Hotel rooms Drugs 
Jewelry Hand hold object Pool 
Maps Nudity Restaurant 
Tattoos 
Suspected CSA @ Tech Textual Transportation Violence 
Camera Barcodes and QR codes Cars Fire and Explosion 
Smartphones Documents License plates Upskirt 
Handwriting Motorcycles Weapons 
Invoices Vehicle dashboards 
Photo IDs 
Screenshots 


Cancel Apply 


3. Select the type of media classification to run: 
» Image and video 
» Images only 
» Videos only 
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Video classification requires a longer processing time than image 


classification. 


4. Select or unselect the categories relevant to the case. 


By default, all categories are selected except for Suspected CSA. 


Running the Suspected CSA category may Increase process time and 
memory consumption. Use a GPU card (NVIDIA® GPU card with 


CUDA© compute capability 3.5 or higher] to boost the speed of this 
process. 


5. Click Apply. 


11.14.2. Viewing and analyzing classified media 


Once the project is loaded into Physical Analyzer, there are three ways to view images 
according to their classification. 


1. Insights 
a. Go to the Insights menu item. 
b. Double click Media classifications. 


c. For each category click to view the images and/or videos. 
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2. Analyzed data tree 
a. Click on the Analyzed data menu item. 


b. Under Media tree item, double click Images or Videos. 


c. Double click a category to view the media. 


3. Filtering the media by classification type 
a. Click on the Analyzed data menu item. 
b. Under Media tree item, double click Images or Videos. 
c. Click Filters > Classification type.. 


ion 


Select or unselect the categories to display. 


Viewing classified videos 


Video classification allows users to locate valuable information without the need to view 


entire videos. When a category has been found in the video, you can jump directly to the 
frame in which it can be seen. 


Chapter 11: 350 


To locate frames containing classified categories 


1. Double click the video to open in new tab. 


2. Click Categories. The classified categories and their confidence score [See Media 
classification score control (below)) are displayed in the right panel. 


3. Click on a category to locate the related frames. 


E] 74019163 dey 


BREE O Extraction Summary (5) = O Extraction summary = © videost) <  @ 200605_BLM US Protests 02... x 


200605 BLM US Protests 02.44 001.mp4 | 10/21/2020 113654AM | Q 
3 12 eA 


E ~ 


The video progress bar is color coded to show where categorized frames appear. See the 
Categories legend at the bottom of the screen for reference. 


Media classification score control 


Each classified image and video is given a score (0-100%) based on classification accuracy. 
When viewing specific categories, the items are sorted from highest to lowest score. 


You can use the classification score filter to display results within a certain range. 


In the example below, the classification score filter is set to display only those results with a 
score of 80% or higher. This filters out less accurate results. 


N E TEE ccome = O Image Classifications (52366) Leammore © Extraction Summary (1) © Images (47909) @ cars (113) x O 19E37578FF| 


Table View | Thumbnail View Folder View 


njoj 
Analyzed Data (=) QQ + 


l 7 id h ad 


Export ¥ Filters» Actions ¥ ( T 


B Nudity 109) 


IDs (92) 
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11.14.3. Running Media classification on demand 


In the case that Media classification was excluded or only partially run (for example, only 
Image classification was selected] when loading the case, you can run it after the project has 
loaded. 


1. Go to Tools > Review engines > Media classification. The following window appears: 


Select media 


B m l] m 
Image & Video Image Video 


* Note: Video classification requires a longer processing time than image classification. 


Select categories 
& Select All 
General Money People Places Substance 
Flags Credit cards Faces Beach Cigarettes 
Food Money Gatherings Hotel rooms Drugs 
Jewelry Hand hold object Pool 
Maps Nudity Restaurant 
Tattoos 
C Suspected CsA @ Tech Textual Transportation Violence 
Camera Barcodes and QR codes Cars Fire and Explosion 
Smartphones Documents License plates Upskirt 
Handwriting Motorcycles Weapons 
Invoices Vehicle dashboards 
Photo IDs 


Screenshots 


Cancel Apply 


2. Select the type of media classification to run: 
» Image and video 
» Images only 
» Videos only 
Select or unselect the categories relevant to the case. 
Click Apply. 
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11.15. Selective apps decoding 


This capability enables you to select apps that are installed on your examined device to 
decode and review. By selecting only the relevant apps, processing time is shortened and you 
can review the evidence faster by reducing unnecessary data. 


The list of the device's installed applications is generated through a Cellebrite UFED 
extraction or through running a short pre-stage within Physical Analyzer and choose the 


selectively parsed applications. 


11.15.1. Selecting apps to decode 


You can select to run Selective apps decoding in the Examination tools step of the Case 


wizard. See Examination tools (on page 69). 
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1. In the Case wizard, select Selective apps decoding. 


Case wizard =] 
Open case Help Examination tools 
Apply examination tools & Enrichment engines 
Load evidence Examination tools 
d = Hash sets A. Carve locations o [D Recover data from Oo 
Examination tools archives 
Compares the MDS hash sets of Decodes additional location data 
images, videos and files to from unallocated space and Decode and process additional data 
databases of known and unsupported databases. from archive (zip) files. 
exclusion list files. 
“Note: this capability requires additional “Note: this capability requires additional 
decoding time. decoding time. 
Select hash sets 
Settings 
Y Selective apps decoding 
Select apps to decode to speed up 
examination process and view only 
relevant data. 
App selection will be presented within 
few minutes, 
Enrichment engines 
Back Examine data 


2. After clicking Examine data and the decoding begins, the following window appears: 


@ Selective apps decoding - a x 
Selective apps decoding 
Select apps to decode and review from the apps installed on your examined device. 
eae ae 2 No apps selected 
> fe Browser 
> 3 Hide files or pictures 
> =) Chat applications 
> 6 Entertainment 
> GQ Developer tools 
> v7 Social networking 
> =] Lifestyle 
> f| Utilities 
Cancel 


i) |t may take a few minutes for the Selective apps decoding window to 


appear. 


3. Select an app category to include all apps, or click on the arrow to select specific apps 
within a category. 


4. Once selected, the apps appear in the right pane. 
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@ Selective apps decoding 
Selective apps decoding 
Select apps to decode and review from the apps installed on your examined device. 
Expand al j Q 
> Chat applications 
> Browser 
> Hide files or pictures 
> Security 
> Password manager 
> Social networking 
> Utilities 
> Developer tools 
> Business 


4 apps selected 


Y Yandex Browser w... @ 


comyandex.browser 
© Google Chrome: F... @ 

com.android.chrome 
Samsung Internet... @ 


Dolphin Browser -... @ 


mobi.mgeek.TunnyBrowser 


Include external app data that may have been 


shared within the selected apps. 


Cancel Continue 


com.sec.android.app.sbrowser 


5. Ifyou wish to include external app data that may have been shared within the selected 


apps, select the check box. 


6. Click Continue to begin decoding. 


Once the decoding is completed, there is an indication in the Extraction summary that 


Selective decoding was used: 


Plug-ins Repo Hel Tips & Tricks 
Samsung GSM_SM-G977U... ~ Tips & Tricks @ Extraction Summary (1) x © Cloud (1) 
All Content File System 
Q — 


Extraction Summary 
Analyzed Data 


53 Application (95) © Extractions: 1 


Calls (1) - File System } Selective apps dec 
Samsung GSM OTTO Galaay 


Contacts (8) File System [ Android ADB ] 


Devices & Networks (45) Extraction start date/time 
12/4/2020 1:53:38 PM(UTC-7) 


Location Related (57) 


12/4/2020 1:57:48 PM(UTC-7) 
: \\ptnas1-int\Shared Dumps\internal Du.. 
Media (10896) 


Messages (706) 


Search & Web (1737) Device Info 
User Accounts & Details (142) 
tising ID 52741429-9ba1-4edd-Sed0-392c8a737568 
oot 64:7B:CE:61:80:CD 
Data files A d0b25152038e74bF 
A 2cc902730d2ad34c 
Applications (1) oe kinas. eS 
o e Galaxy $10 5G 
Archives (111) actory nur R3CM6008C8A,20190601, 
o s True 
Configurations (93) False 
10 
Databases (492) 89302720533840727948 
302720184142794 
Documents (2) c 4:53:83:db:63:88 
one 12/4/2020 8:43:11 PM(UTC+0) 
Text (2185) Tethering 
Uncategorized (7827) Hotspot password required SM-G977P388 


+ Add extraction 


& Generate preliminary device report 


adid settings.xml : OxC5 
bt addr : 0x0 

settings ssaid.xml : 0x203 
settings securexml : 0x88D4 
settings securexml : 08628 
settings secure.xml : 0x7B43 
serial no : 0x0 


googlesettings. db : 0x3E6D 


build.prop : 0x464 
jone_preferences.xml : 0x5C 


Checkin.xml : 0xE2 
smac.info : 0x0 


© 
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Important Notice: For the decoding process to complete successfully, 
native phone data may be decoded and displayed in addition to the 


applications selected during the Selective decoding flow. 
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11.16. Carving images 


Perform image carving to retrieve jpeg image files or fragments that are incomplete or 
corrupt, signifying that they have been deleted by the user. Image carving retrieves the 
images and rebuilds them as much as possible. 


Perform image carving on demand; carving is not performed when Physical Analyzer opens 
the physical extraction. 


Image carving is only available for physical extractions. 


Image carving can take some time to process. While processing, you can work in parallel in 
Physical Analyzer. 


11.16.1. Scanning for carved images 


To scan for carved images: 


Go to Tools > Get more data (carving) > Carve images. 


What's new? 


@® Read data from UFED Ctri+U 


A; ung C ® Extraction file system Ctrl+D ction Summary (1) x O Chat (Faceb: 
Home 
All Content K Get more data (Carving) > D Carve images 
me 
O r & Export account package Ctrl+E (a) 
- Extractior m 
& Watch list „| & 
A = 5 
AN ¥) Extractions: ® Malware scanner » Carve files (generic) 
Translation 
@ Offline maps » 
+-O 
-0 Enrichment of BSSID and Cell IDs » 
SQLite wizard » 
G- @ TomTom » 
un fuzzy model plugin 
f Run fuzzy model pl 
Œ) Virtual Analyzer 
(O) Case Inform 
isiat haiie & AppGenie 
: Manage tags 
Device Info 
B Manage public domain avatars 
adid settings.xml : 0x58 
err Generate dictionary files D2:user/rel... build.prop : 0x388 
Bluet devics settings.db : 0x235CB 
(Os Bluetooth MAC. 4} Settings... Ctrl+T settings.db : 0x22F24 
Andr > Ctrl+P settings.db : 0x22E4D 
Aut tic dat 9] Project settings com.android.settings preferences.xt 


Aut: tir time 7ANA Tris cam andernid cettinns nreferences vi 


The following window appears: 
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Carve Images x 


Scan type: 
© Quick scan 


Recovers JPG images that start with a full, partial, or corrupted header only. 
The quickest scan and finds the least amount of images. 


© Full scan 
Recovers JPG images that have a full, partial, or corrupted header, as well as 
from blocks of data that appear without any header information. Takes 
longer than 3 Quick scan, and potentially finds more images. 


Full scan without filter 
Uses the same full scan algorithm without the false positive filter. Can be 
used to verify if JPG images were missed, but it takes by far the longest 
time and causes additional false positives. 


Carve from: 


®© Unallocated space 
Memory images 


Note: 


Image carving is a time consuming task which is performed in 
parallel with your work on the Physical Analyzer. 


Select the scan type: 


Quick scan- This scan has three stages, where Physical Analyzer tries to recover images that 
start with a full, partial, or corrupted header only. 


Full scan - This scan has five stages, where in addition to recovering images that have a full, 
partial, or corrupted header, Physical Analyzer tries to recover images from blocks of jpeg 
data that appear without any header information. A full scan takes longer than a quick scan, 
and potentially finds more images. 


Full scan without filter - This scan uses the same Full scan algorithm without the false 
positive filter. It can be used to verify if images were missed, but it takes by far the longest 
time and causes additional false positives. 


Select from where you want to carve the images: 
Unallocated space - scan unallocated memory space. 
Memory images - select all images that you want to scan. 


Click Ok. 
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The scan begins. Results are shown in Manual evidence> Image carving resultstree item. 


Tools Cloud 


Analyzed Data 


Application (420) 

Calendar (65) 

Calls (461) 

Contacts (1308) 

Devices & Networks (717) 
Location Related (4011) 

Manual Data Collection (16559) 


Manual Evidence 


Image carving results 


Media (24718) 


11.16.2. Working with carved images 


Open data display tabs for all the carved images, for individual carved images, and extract 
the images to your computer. 
To view all the found images in the project tree: 

» Click to expand the Carving > Images tree item. 
To open a data display tab for an individual image: 

» Double-click the image in the project tree. 

For more information on working with images, see Viewing image files [on page 124). 
To extract (dump) the carved images to your computer: 


1. Right-click the Carving > Images tree item and select Dump. 
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2. In the Select Folder window, browse to the desired folder, and click Select Folder. 
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11.17. Carving locations 


The Carve locations feature allows you to decode additional location data from unallocated 
space and unsupported databases. The carver allows you to either search for additional 
locations, up to three of the most visited areas, or any other custom area. 


The carving results may produce many false positive events. 


To carve for locations: 


1. Select Tools > Get more data (Carving) > Carve locations. 
-Or- 
Open the Device locations and click Carve locations (A). 


The following window appears. 


Get more locations 
Carve locations from unallocated space and unsupported databases 


Set the carve radius 


Location filter count: 1 


2. From the carve radius are, select: 
>» Carve most visited areas: Search for additional locations based on up to three most 
visited areas. 
» Custom radius: Use the Drop pin to set an initial point, then move to mouse set the 
radius, click when done. After setting then pin you can drop additional pins, remove the 
last pin or remove all pins. 
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Set the carve radius 


Drop pin ? Remove all pins 


3. Click Carve. A progress bar below the graph indicates the carving progress. A message is 
displayed when the process completes and the total number of locations that were found. 


Closing the Carving Locations window once the carving process is 
running will not affect the carving process. 


Results are displayed under the Device locations tree item in the Carving column. An 
example is displayed next. 


© Locations (2212) 
ZR- 0- BD- @ & ED rK © 


A - 
s Mount Hermon eh A 


e S 
Mount Meron 4 1 
1208 m (3963 ft) 

a EA 


al 
4 
S 60 IGHTS § 
i 3 Zefat ' CEA 
o 2 ' 7 
= g 4 
z f A P 
‘poni cae $ á 7 le 
as TSAFON 
gate > Nazerat Tiberias $ 


we lit ae 


` 
1 
1 
€ As Suwaydā' 


‘Nazareth 


~ 


mm elfanm a.d 
OG to Origin Y |} Timestamp v || Position X 
5/22/2017 12:19 (33.129453, 36.003678) 

5/22/2017 09:47 (82.005372, 35.133019) 

5/22/2017 09:47 (82.005372, 35.133019) 

5/21/2017 19:54 (82.102051, 35.019218) 

5/20/2017 16:15 (82.126000, 35.137248) 


5/15/2017 02:53 (32.068501, 35.135063) 


SHSESsSses8es5 Sg 


5/15/2017 02:53 (32.068501, 35.135063) 


E 


5/15/2017 00:05 (32.128014, 34.468775) 


AL A| AL A\|A|A|A| ALARA 


[E] 


5/15/2017 00:05 (32.128014, 34.468775) 
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11.18. Generic file carver 


Decode additional file data from unallocated space. Supported formats: MPEG, Amr, Silk, 
Mus, Plist, RTF, PDF, and Doc. Carving results are displayed under File Systems > Generic 


K . 


Carver Files and under Data Files marked with a carved icon 


File Systems 
Generic Carver Files (15 files, 33,960 KB) 


fied.bin (15 


MPEG formats: Mp4, 3g2, 3gp, F4a, F4b, F4p, F4v, Jp2, Jp20, M4a, M4b, 
M4p, M4v, Ross, Dvb, Jpm, Jpx, Mj2, Mj4, Mqv, Mov. 


To active generic file carving: 


» Select Tools > Get more data (Carving) > Carve files (generic). 
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11.19. Verifying hash values 


A hash value is a unique and compact representation of a piece of data, which can be used 
for integrity protection due to the fact that it is computationally improbable to find two 
distinct inputs that hash to the same value. 


Comparing a reference hash value that was generated during the extraction process for each 
binary extraction against their calculated hash values enables you to verify the integrity of 
the binary extractions you received. 


To verify the hash values: 


1. In the project Extraction Summary tab, do one of the following: 
» If hash information is available for the project, click Verify. 
» If hash information is not available for the project, click Calculate hashes. 
The hash information is calculated or verified. If no reference data is available, a Hashes 


have been calculated for this project, but no reference data is available message is 
displayed in the Image Hash Information section of the Extracted Summary tab. 


2. Click View Details. 


Á Hashes have been calculated for this extraction, but no reference data is available. 


SHA256 FDD13A64E4250BE49D6F724A8A9C5D740BA2A8AF03AA8B3E12070472A8C506CC 


The Image Hash Details dialog displays the comparison result of the reference and 
calculated hash values of each image. 


» © verified . indicates matching values. 


» @ Bad verification indicates the images do not match. 
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11.20. Accessing WhatsApp Web data 


Extract WhatsApp Web data such as contacts, user account, chats data, and chat instant 
messages Including attachments, shared contacts, locations, etc. by scanning the WhatsApp 


QR code. 
This capability requires full access to the mobile device in order to scan the QR code through 


the device's WhatsApp mobile app. 
WhatsApp Web extraction can be performed in both Physical Analyzer and UFED Cloud. 


Procedure 

1. In the main menu, go to Cloud > Extraction > Private cloud data. 
2. Enter the required fields. 

3. Click Next. 


UFED Cloud extractor 


New person Case details 
You can create a new case or add cloud data to an existing case 
First name* Case number 
@ case details N x 
Last name* Examiner name 
x 
Loat iner 1D * 


Data sources 


Validation 


Extraction settings 


Media classification a 


Summar y videos based on 
cate to the case. 


4. Select the WhatsApp Web data source. 


If you do not have a UFED Cloud license, all other data sources will be 


unavailable. 


5. In the WhatsApp Web window, click Save. 
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Q ENEN 
Access cloud data sources with extracted tokens or manually enter credentials 
Select data sources for extraction: a & Import account package 
D Case details bogi 
Line Backup Line Backup Linkedin Lyft Magenta Cloud Office365 
(Google Drive) x bring Storage service Storage Service 
Backup Service 


(@®@ Whatsapp web 


pă lagal ) 8 


@ Data sources 


Office365 Backup Skype Slack 
| — asen E up Instant Messaging Instant Messaging 
1. QR code scanning will be required in the 
following step. 
{ 
| Extraction settings 2. User's unlocked mobile device will be y 
required. pr © 
| A a 
i Telegram sA Een So the dadoa reles oppia ie. ir Viber Backup Viber Backup 
Social network aa Ling (Google Drive) GCloud) 
EAEN Backup Service Backup service 
| 
Ki ke 
Vkontakte WhatsApp WhatsApp 
Social network Backup... Backup (iCloud) 
Backup Service Backup service 
Cancel Back 


6. Click Next. 
7. Inthe Validation step, click QR scanning required. 


@ FED Cloud extractor — 
KS) Jane Smith N Validated 0/1 
es User account Password Validation 
atsApp Wet o = 
Q Case details © Whatsapp Web ~ PE 
Data sources 
@ Validation 


Extraction settings 


a 


(@ Whatsapp web 


O summary User account 


Cancel Back 


8. Enter your name. 


9. Click I Approve to approve the multi-factor authentication. 
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Multi Factor authentication - approval — o x 


Connecting to a cloud data source which includes a multi factor authentication 
involves receiving communication from the cloud service provider aimed for the 
device user. 


Please approve the use of this method, and that you will use proper legal authority 
under your jurisdiction. 


Skip usage of multi factor authentication 


0. On the device, open the WhatsApp application. 

1. Go to Settings and tap WhatsApp Web. 

12. Ifthe device is logged in to other devices, tap Log out from all devices. 
3. When the camera opens within the application, scan the QR code. 

4. When done, click | scanned the QR. 
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1 of 1 QR scan required 


@ WhatsApp Web 


How to scan: 


1. On mobile device, open WhatsApp application. 
2. Go to WhatsApp settings and tap "WhatsApp Web”. 


3. If the device is already logged into other devices, tap “Log out from all 
devices”. 


4. Once camera screen opens within WhatsApp, scan the QR code above. 


Cancel I scanned the QR 


15. Once validated, click Next. 

16. Select a date range and click Apply. 

17. Click Next. 

18. In the Summary screen, click Start extraction to begin decoding. 
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11.21. Network dongle - admin procedures 


The network dongle enables organizations to provide licenses for multiple UFED products, 
from a single, central location, to users connected to your network. This solution provides 
centralized license management where licenses can be easily transferred between users, 
and the network dongle can be updated when required. 


The number of licenses and types available in the network dongle varies based on the 
licenses purchased from Cellebrite. The network dongle solution enables users and an 
administrator to manage and maintain licenses of the UFED applications, by means of an 


Admin Control Center. 


11.21.1. Network dongle - system requirements 


The minimum system requirements for the computer connected to the network dongle are 


as follows: 
At least 1 GB RAM 
Hardware: 
At least 1 GHz Pentium 4-compatible processor 
(x86 and x64] Windows 2003 Server, Windows XP, Windows 2008, Windows 7, 
Software: 


Windows 8, Windows Server 2012 


11.21.2. Managing network dongle licenses 


The Admin Control Center provides a single console view of all the licenses within an 
organization, enabling an administrator to effectively manage and maintain licenses of UFED 
applications. Using the Admin Control Center, administrators can update the network 
dongle, and view which licenses are in use and by whom, in real time, making it easy to 
determine and resolve license availability and compliance issues. 


To manage the network dongle licenses: 
1. Use a Remote Desktop Connection to connect to the computer where the network dongle 
is located. 


2. Ina browser, enter the following: http://localhost:1947 


1947 is the port number, which must be opened for both TCP and UDP 


communication. 


The Sentinel Admin Control Center window appears. 
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P leje] x 
J E SafeNet Sentinel ACC: He x hm 


C ff |D localhost:1947/_int_/ACC_help_index.html Ww ay = 


(prenet Sentinel Admin Control Center 


Admin Control Center Help 


Admin Control Center Help 


Products | 
Features 
Sessions Welcome to the Admin Control Center. This application enables you to manage access to software licenses and Features, to control 
detachable licenses, to control sessions, and to diagnose problems. 
Update/Attach Note: You can select the language in which Admin Control Center is displayed by clicking the country flag appropriate to the required 
language, which is displayed at the bottom of the Options pane). To view all available languages, or to download other language 
packs, click the More Languages link. 
Access Log 
Configuration The Admin Control Center enables you to monitor the following: 
Diagnostics e All the Sentinel protection keys that are currently available on the network server, including their identity, type, and location 
e The number of users currently logged in to a protection key, and the maximum number of users allowed to be simultaneously 
Help logged into that specific key 
e The Features to which each protection key allows access, and any restrictions that apply to the Feature 
About «The teers whn are currently logged into a specific protection key, including detailed login information 
localhost:1947/_int_/devices.html X 


3. Click Sentinel Keys. The following page appears. 


prenet Sentinel Admin Control Center | 


Sentinel Keys Available on JONATHANKO1- 


Sentinel Keys # Location Vendor Key ID Key Type Configuration Version Sessions Actions 

Products 1 WINIJGHE 92606 1660761760 HASP HL NetTime 50 HEMI HASP 3.25 1 [Products | {Features || Sessions | Blink on 
Features 

Sessions 


This page enables the administrator to identify which Sentinel Keys are currently 
connected to the network, including locally connected Sentinel Keys. For more 
information, click Help to display the Help for this page. 


11.21.3. Features page 


The Features page enables the administrator to viewa list of the features or products that 
are licensed in each of the Sentinel Keys that are currently connected to the network, 
including locally connected Sentinel Keys. In addition the administrator can see the 
conditions of the license, and the current activity related to each feature. 


prenet Sentinel Admin Control Center 1 
| 
Features on JONATHANKO1: Key 1660761760 | 
Vendor: 92606, Product: 92606 Product 15 (15) 
Sentinel Keys 
Products # Product Feature Location Access Counting Logins Limit Detached Restrictions Sessions Actions 
Aaa 1 Hie Product 16 E Ma Loc Net Display Station = 2 - Perpetual - [Sessions 
2 32606 Product 15 


3 & Local Loc Net Display Station 1 1 -~ Perpetual 1 [Sessions | 
| 
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The list of Feature IDs is as follows: 


Feature ID Product name 

2 Cellebrite UFED 4PC 

3 Physical/Logical Analyzer 

4 UFED Phone Detective 

5 UFED Link Analysis/Pathfinder Desktop 
10 UFED Cloud 


11.21.4. Sessions page 


The Sessions page lists all sessions of clients on the local machine and of clients remotely 
logged in to the local machine. The Sessions page enables the administrator to view session 
data and to disconnect sessions. 


To disconnect a session: 


» Click Disconnect. The application will close and work or progress may be lost. 


The list of connected computers and ability to disconnect a computer may 


be required if a user is not available and forgets to close an application. 


(renet Sentinel Admin Control Center 
Sessions on JONATHANKO1 Key 1660761760, Feature 3 
Sentinel Keys 1D Key Location Product Feature Address User Machine Login Time Timeout Actions 


Products 
Features 
Sessions 


000000E5 1660761760 WINIJGH 15 3 192.168.108.80 jonathank JONATHANKO1-LAP:11504 Sun Nov 23, 16:30:15 11:57:04 {Disconnect 
92606 Product 15 


11.21.5. Updating the network dongle license 


A C2V (Customer-to-Vendor] file is used to update your network dongle license. An update is 
required if you need to specify additional licenses, new products, features, or renewals. The 
C2V file needs to be sent as an attachment to Cellebrite. A V2C (Vendor-to-Customer)] file, 
which contains the license update from Cellebrite will be returned to you. 
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To update the network dongle: 


1. In the Sentinel Keys page click C2V for the network dongle that you need to update. The 
Create C2V page appears. 


Create C2V file for Key 808756392 (Vendor: 92606) 


gloria te A C2V (Customer-to-Vendor) file may be needed by your software vendor to update your licenses. 
Products You can create a C2V file for the selected Sentinel key here. 


Features 


Sessions Download C2V File Cancel 


2. Click Download C2V File. 

3. Send the file as an attachment to support(dcellebrite.com. 

4. After you receive the V2C file from Cellebrite, under options click Update/Attach. The 
following page appears. 


Update/Attach License 


Sentinel Keys 
Products 
Features Select a V2C, H2R, R2H, H2H, ALP or ID file: 
Sessions | Choose File | No file chosen 


Apply File 


| Apply File | | Cancel | 


Update/Attach 


5. Click Choose file to navigate to the file that you want to apply. The File Upload dialog box 
appears. 


6. Select the appropriate .V2C file and click Apply File. 


11.21.6. Standalone installation of the required drivers 


The required SafeNet network drivers are installed automatically when you install supported 
UFED products such as Physical Analyzer, Logical Analayzer, UFED Cloud , UFED Phone 
Detective, and Cellebrite UFED 4PC. 


You can install a standalone installation of the required SafeNet drivers. This enables 
administrators to use the Admin Control Center and monitor network dongle events without 
the need to install Cellebrite applications. 


To install the SafeNet drivers: 


1. Go to http://www.safenet-inc.com/sentineldownloads/# 
2. Click Sentinel HASP/LDK - Windows GUI Run-time Installer 


3. Follow the on-screen instructions. 
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11.21.7. Enabling network dongle logs 


The log files are not enabled by default and need to be enabled from 
within Admin Control Center 


The log files need be enabled on the machine where the dongle Is 


installed. 


To enable the log file: 


1. In the Admin Control Center, click Configuration > Basic Settings. The following window 


appears. 
Configuration for Sentinel License Manager on JONATHANKO1-LAP 
Sentinel Keys Basic Settings | Users | Access to Remote License Managers | Access from Remote Clients | Detachable Licenses | Network | 
Products 
Features Machine Name |JONATHANKO1-LAP| 
See Allow Remote Access to ACC 
Update/Attach 
Display Refresh Time (seconds) 
Soren Log Table Rows per Page (6 to 100) 
Configuration 
Diagnostics 
Write an Access Log File i Size Limit (KB): 0 (0: No limit) Edit Log Parameters 
Help 
Include Local Re ts 
ee inc equests 
Include Remote Requests 
Include Administration Requests 
Write an Error Log File Size Limit (KB): 0 | (0: No limit) 
Write Log Files Daily 
Days Before Compressing Log Files (0: Never compress) 
mm Days Before Deleting Log Files (0: Never delete) 
oige Write a Process ID (pid) File 
Password Protection ® Configuration Pages © All ACC Pages Change Password 
Submit] [Cancel] [Set Defaults 


For more information to configure basic settings and define access log parameters, click 


Help to display the Help for this page. 


2. Select the log file setting check boxes as indicated above. 


The log file is stored in the following path: 


C:\Program Files (x86)\Common Files\Aladdin Shared\HASP\ 


File name: Access. log 
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Sample: 


2015-03-04 11:04:00 127.0.0.1:51183 Techlab@WIN-TI4FQ212NGH POST /api/loginex LOGIN _EX 
(1m=local, haspid=659816198, productid=0, feat=0,sess=00000002) result (0) 

2015-03-04 11:04:01 ::1:51166 [ACC]@::1 GET /_int_/cdata.txt GUI() result (0) 
2015-03-04 11:04:03 ::1:51166 [ACC]@::1 GET /_int_/log.html GUI() result (0) 

2015-03-04 11:04:03 ::1:51166 [ACC]@::1 GET /_int_/tab_log.html GUI() result (0) 
2015-03-04 11:04:06 ::1:51166 [ACC]@::1 GET /_int_/tab_log.html GUI() result (0) 


1 
1 
a 
2015-03-04 11:04:09 ::1:51166 [ACC]@::1 GET /_int_/tab_log.html GUI() result(0) 


1 
1 
1 
a 


2015-03-04 11:04:43 127.0.0.1:51185 Techlab@WIN-TI4FQ212NGH POST /api/logout LOGOUT 
(1m=local, haspid=659816198, productid=0, feat=0, sess=00000002, duration=43) result (0) 
2015-03-04 11:04:44 ::1:51166 [ACC]@::1 GET /_int_/tab_log.html GUI() result (0) 


In the sample above, you can see the following: 


» Date & time: 2015-03-04 11:04:00 

» IP address & Port: 127.0.0.1:51183 

» By username & machine name: Techlab(@WIN-TI4FQ212NGH 

» Ask for method: LOGIN 

» From license manger: lm=local 

» Asked for HASP ID: haspid=659816198 

» For feature and product details: productid=0,feat=0 

» Created a new session between the protected application and the license: sess=00000002 
» And the whole task result is: result(0) (Result 0 = OK) 
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12. Working with hex data 


The extraction enables you to view the device image, which is a single file or multiple files 
that contain a comprehensive copy of the contents and structure of the data on the device. 


To access the hex view of the device image: 
» Inthe project tree, expand the Images tree item, and double-click the desired image. 


An Image tab appears in the data display area showing the image data in Hex view. 


SEND TO PATHFINDER 


Welcome =  Leammore © Extraction Summary (3) * © 2015-08-08 15.3857jpg = @ 2015-08-11.06.39.13jpg x 
Hex View Image view File Info 

agaceD - +7888 

Hex View =: 


EF D8 FF EO 00 10 4A 46 49 46 00 01 01 00 00 01 00 01 00 00 FF DB 00 43 00 06 04 05 06 05 04 06 06 05 06 07 07 06 |}. 
é |06 OA 10 OA OA 09 09 OA 14 OE OF OC 10 17 14 18 18 17 14 16 16 1A 1D 25 1F 1A 1B 23 1C 16 16 20 2C 20 23 26 27 29 | .. 
2A 29 19 1F 2D 30 2D 28 30 25 28 29 28 FF DB 00 43 01 07 07 07 OA 08 OA 13 OA OA 13 28 1A 16 1A 28 28 28 28 28 28 | + 
28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 
28 28 28 28 28 28 FF CO 00 11 08 03 00 04 00 03 01 22 00 02 11 01 03 11 01 FF C4 00 1F 00 00 01 OS 01 01 01 01 01 
01 00 00 00 00 00 00 00 00 01 02 03 04 OS 06 07 08 09 OA OB FF C4 00 BS 10 00 02 01 03 03 02 04 03 05 05 04 04 00 
£4 | 00 01 7D 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 Al 08 23 42 Bi Cl 15 52 D1 FO 24 33 62 | .. 
72 82 09 OA 16 17 18 19 1A 25 26 27 28 29 2A 34 35 36 37 38 39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 SA 
63 64 65 66 67 68 69 GA 73 74 75 76 77 78 79 7A B3 84 BS 86 87 BB 89 BA 92 93 94 95 96 97 98 99 9A A2 A3 A4 AS AG 
A7 A8 A9 AA B2 B3 B4 BS BG B7 BB B9 BA C2 C3 C4 CS C6 C7 CB C9 CA D2 D3 D4 DS DE D7 DS D9 DA El E2 E3 E4 ES EG E7 
E8 E9 EA Fl F2 F3 F4 FS F6 F7 F8 P9 FA FP C4 00 1F 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01 02 03 
2 | 04 05 06 07 08 09 OA OB FF C4 00 BS 11 00 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00 01 02 03 11 04 OS 21 31 
06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 Al B1 Cl 09 23 33 52 FO 15 62 72 D1 OA 16 24 34 E1 25 Fl 17 18 19 1A | ..AQ.aq. 
26 27 28 29 2A 35 36 37 38 39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 SA 63 64 65 66 67 68 69 6A 73 74 75 
4 | 76 77 78 79 7A 82 83 84 85 86 87 88 89 BA 92 93 94 95 96 97 98 99 9A AZ AZ A4 AS AG A7 AB AD AA B2 B3 B4 BS BE B7 
A | B8 B9 BA C2 C3 C4 cS c6 C7 CB C9 CA D2 D3 D4 DS DG D7 D8 DS DA E2 E3 E4 ES EG E7 ES E9 EA F2 F3 F4 FS F6 FT FB FS 
FA FF DA 00 OC 03 01 00 02 11 03 11 00 3F 00 P4 DC FC BC OC 51 83 81 83 D2 94 OE 76 D3 BE 91 DF 9A F2 53 49 9D 3A |.. 
B4 45 33 20 1E 7E BS SC BO CG 47 18 AS AS 40 41 C9 E4 75 AA ED C7 4E OD 3E 67 7D 44 88 DE £2 91 78 39 FS A7 30 EO |. 
E7 AD 2C 43 19 C8 AS BB 1A ED 72 58 BE 53 93 D4 DS AS C2 9C 01 51 44 BD F1 D2 AS 61 C6 OF 1E 95 9B GE EC DE 37 06 


E2 90 92 40 38 38 AG 21 Cl Ci EO D3 8F AF AS 4D DB 29 0c 93 80 73 DE A3 04 OC E3 AO AT 3E 48 23 18 F7 AB B1 ES D4 |... 
75 AT 7B 93 E4 3c 39 3F 74 73 42 B1 03 8C FB D4 7C E4 EO 62 9E BA D8 Cl 27 14 AE C7 6E E3 Cl FS 34 Al BA FB D3 42 
70 46 29 CO 73 CO E3 £9 42 12 43 D3 A7 43 DE 91 C9 Cl 20 71 D2 95 78 27 9A 95 54 14 24 OE OD 3B DB 1D CA 4£ ED DB 
66 9D C9 03 BS 4E DO 7E 62 98 10 F7 AS DS B1 Al Al 79 03 B8 15 22 E4 53 42 E3 3E B9 E3 BA 55 CB 26 AA EO 9D C7 92 | f£. 
4 | 70 05 28 24 OE 48 CF AD 30 64 74 A7 03 83 DO 54 B7 71 AB 93 44 D8 4E 38 C7 7A 72 B1 CS 41 1B 10 B8 A7 AE 39 CE 6A 
35 BO SB B9 30 03 14 E4 C2 SE OD 31 OF A7 4A 7A 82 33 81 FA 51 76 BS 25 59 BF 07 BS 38 06 9E 8C 36 77 CD 44 09 P4 


A9 22 BE 31 CD 1C D7 OB D9 SF BC 7F 4A 82 61 F2 D4 £7 EB 51 38 3B OE 69 2B B7 AB 26 51 91 7B 53 17 AO 06 A4 7E FD | .".1........J.an n.087. it. n60. (See. eee 
Highlights 
CEPE] 
Offset Length Val Sour 
Values Tags Highlights 


Length: 0x10091 | Offset: 0x0 Selection: 00 


Located under the Hex view tab are Analysis Information tabs that display the following types 
of information related directly to the displayed Hex data: 


» Values - A wide array of value interpretations, such as 8, 16, 32, and 64 bit, various string 
encoding, date & time formats, and more, calculated on the fly for the currently selected 


data in the Hex view. See Working in the Values tab [on page 118). 

» Tags- A list of tags added in the displayed Hex data. See Working with Hex tags [on 
page 398). 

» Highlights - A list of content segments markups highlighted in the displayed Hex data. 
The number of highlight results is shown in brackets next to the tab name. See Working 
in the Highlights tab [on page 119). 

» Search - Displays results of a search in the displayed Hex data. A new search results tab 
opens for each search query performed. The number of results for each search is shown 
in brackets next to the tab name. 


For more information on the Image tab, see Hex view [on page 116). 
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12.1. Searching for information in the Hex data and decoded data 


agree 


Options 
[Sings = Search direction: (Down xj 
D = Search resuks window: New x| 
ASCII 1 byte per character Colors: Text: w 
| Unicode 2 bytes per character 
E) utr-8 1-6 bytes per character i Background: E 
E) 76a 7 bts per character V] Find all instances: 


V) Show results comments (slower) 


© 


The Find window has several tabs that enable you to search the Hex data in the following 
modes: 


» Find - Search for specific parameters, such as strings, bytes, dates, and more. 


You can search using wild cards: ? and + (? replaces an octet [4 bit) and + 
replaces an entire byte). There must be an even number of digits before, 
between or after an asterisk. 


» RegEx (GREP) - Search for strings using Regular Expressions. 
» SMS 7Bit (PDU) - Search for SMS text strings. 


» Pattern - Search for text patterns, in cases in which the pattern of the text is understood 
but not the text itself [mainly used for 7 bit search to locate SMS messages]. 


» Code - Specialized search for user codes and passwords. 


The Find modes were built using the Plug-ins architecture. The find 


options can be enhanced and extended by adding new search plug-ins. 
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For more information on targeted searches, refer to the following sections: 


» 
» 
» 
» 
» 
» 
» 
» 
» 


Searching strings (below) 
Searching bytes [on page 379) 
Searching dates [on page 381) 


Searching SIM ICCID numbers (on page 384) 

Searching SMS numbers [on page 386) 

Searching for regular expressions (GREP) (on page 388) 
Searching SMS text strings (on page 391) 


Searching for patterns [on page 393) 


Searching for codes and passwords [on page 396) 


12.1.1. Searching strings 


Search for strings to locate different types of data in the Hex data, e.g. text messages, phone 


numbers, names or any other string data. 


1. While viewing Hex data, click Q to open the Find window. 


2. 


In the Find tab, select Strings from the data type list. 


Find 


RegEx (GREF) | SMS 7bit (PDU) | Pattem | Code 


Strings X 
Name Description 
[V] Unicode 2 bytes per character 
(¥] UTF-8 1-6 bytes per character 
[V] 7 Bit 7 bits per character 
Search parameters 
E String parameters 
Tem: 
Case sensitive 
E String parameters (ASCII) 
Tem: 
El Case sensitive 


Options 

Sch on 
Seca st 
Colors: Text: | 


Background: o] 


[V] Find all instances: 
[V] Show results comments (slower) 


3. Select the type of text encoding to search for the given string: 


4. 


» ASCII 


» UNICODE (mainly for non-Latin characters) 


» UTF-8 
» 7 bits (mainly for SMS text) 


The Search parameters area appears. 


In the Search parameters area: 


a. In the Term box in the String parameters area, enter the search string. 


b. Select the Case sensitive option, if necessary. 
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5. In the Options area, set the desired search options: 
a. Inthe Search direction list, select the search direction. 


b. In the Search results window list, select New, Replace current, or Add to current, as 
desired. 

c. To set the Text and Background colors, click the color box, select the desired color, 
and click OK. 


The colors you set here are retained for the duration of this session. To change the 
default colors, set the colors in the Setting window. For more information, see Hex 


viewer (on page 432). 
Tip: To easily distinguish between the given results of each search performed, set 


different text and background colors for each search you run. 
d. Do one of the following: 
Select Find all instances to display all search results at the end of the process 


Clear Find all instances to move through the found items one-by-one during the 
search [can also be done by pressing F3). 
e. Select Show results comments to display 
6. In the Additional data area, enhance your search capabilities by including a predefined 
number of characters before and/or after the searched value. This can help you locate 
specific results, or even limit the results to specific entities of the searched value. 


a. Select Show before to show the data immediately before what you are searching for. 


b. In the Offset box, enter the offset from the start of the search result from which to start 
including the additional data. 


c. In the Length box, enter the length of the additional data to include starting at the set 
offset point. For Show before, the Length cannot be longer than the Offset. 


d. In the Showas box, enter the data type for the additional data to be displayed (Hex, 
ASCII, Unicode, or 7Bit). 

e. Select Contains, and enter a string that the search result must contain in its additional 
data. 


f. Select Show after to show the data immediately after what you are searching for, and 
repeat steps 2-5. 


g. For the Show after option, set whether the offset and length of the additional data are 
calculated From result start or From result end. 


The additional data is logged to the Additional before and Additional after fields of search 
results. 


7. Click Find. 


If you selected Find All Instances in the Options area, the results appear in the Search 
results tab in the analysis information tab (in the Hex view tab). 


If you did not select Find All Instances in the Options area, the next found instance is 
highlighted in the Hex View tab. 
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The Search results tab includes the following: 


>» #- The instance number. 
» Offset - The address offset of the data file in the Hex data. 
» Length - The string length in bytes. 
>» Value - The string itself. 
» Source 
» More 
» Additional before - If you set additional data options in the Find window, displays the 
data located immediately before the result. 
» Additional after - If you set additional data options in the Find window, displays the data 
located immediately after the result. 
8. To display a result instance in the Hex view tab, click on the desired row in the search 
results tab. 
9. To search for specific data and filter the search results, use the Find box in the search 
results tab. 
10. To export the search results list, click the desired output in the Search tab toolbar: Excel 
= HTML À, PDF fB, or XML a. 


12.1.2. Searching bytes 


Search for bytes to look for specific occurrences in the Hex data. This is especially useful 
when you know the identifying header of a file type or information you are looking for. For 
example, the starting Hex bytes of a jpeg image are FF D8 FF. Therefore, the result of 
searching for FF D8 FF provides the locations of all possible jpeg image headers in the Hex 
data. 


1. While viewing Hex data, click Q to open the Find window. 
2. Inthe Find tab, select Bytes from the data type list. 


Find [RegEx (GREP) | SMS 7bit (PDU) | Pattem | Code | 


Options 
= Jo Sranan 
Name Description | Search results window: (Nw) 
See 2 a 


E 
Background: C] 


V| Find all instances: 
[7] Show results comments (slower) 


Search parameters 
E Hex bytes parameters 


Bytes (hex): Additional data: 


[2] Show before 
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3. Select Hex. 
The Search parameters area appears. 


4. In the Bytes (hex) box, enter the Hex value, for example, FFD8FF. 
5. In the Options area, set the desired search options: 
a. Inthe Search direction list, select the search direction. 


b. In the Search results window list, select New, Replace current, or Add to current, as 
desired. 


c. To set the Text and Background colors, click the color box, select the desired color, 
and click OK. 


The colors you set here are retained for the duration of this session. To change the 
default colors, set the colors in the Setting window. For more information, see Hex 


viewer [on page 432). 
Tip: To easily distinguish between the given results of each search performed, set 
different text and background colors for each search you run. 


d. Do one of the following: 
Select Find all instances to display all search results at the end of the process 


Clear Find all instances to move through the found items one-by-one during the 
search [can also be done by pressing F3). 


e. Select Show results comments to display 


6. In the Additional data area, enhance your search capabilities by including a predefined 
number of characters before and/or after the searched value. This can help you locate 
specific results, or even limit the results to specific entities of the searched value. 


a. Select Show before to show the data immediately before what you are searching for. 


b. In the Offset box, enter the offset from the start of the search result from which to start 
including the additional data. 


c. In the Length box, enter the length of the additional data to include starting at the set 
offset point. For Show before, the Length cannot be longer than the Offset. 


d. In the Showas box, enter the data type for the additional data to be displayed (Hex, 
ASCII, Unicode, or 7Bit). 

e. Select Contains, and enter a string that the search result must contain in its additional 
data. 


f. Select Show after to show the data immediately after what you are searching for, and 
repeat steps 2-5. 


g. For the Show after option, set whether the offset and length of the additional data are 
calculated From result start or From result end. 


The additional data is logged to the Additional before and Additional after fields of search 
results. 


7. Click Find. 


If you selected Find All Instances in the Options area, the results appear in the Search 
results tab in the analysis information tab (in the Hex view tab). 
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If you did not select Find All Instances in the Options area, the next found instance is 


highlighted in the Hex View tab. 


The Search results tab includes the following: 


>» #- The instance number. 


» Offset- The address offset of the data file in the Hex data. 
>» Length - The string length in bytes. 


» Value - The string itself. 


>» Source 
>» More 


» Additional before - If you set additional data options in the Find window, displays the 
data located immediately before the result. 
» Additional after - If you set additional data options in the Find window, displays the data 


located immediately after the result. 


8. To display a result instance in the Hex view tab, click on the desired row In the search 


results tab. 


9. To search for specific data and filter the search results, use the Find box in the search 


results tab. 


10. To export the search results list, click the desired output in the Search tab toolbar: Excel 


=] HTML À, PDF E, or XML 8. 


12.1.3. Searching dates 


Search for dates to find date ranges in the Hex data. 


1. While viewing Hex data, click Q to open the Find window. 


2. Inthe Find tab, select Dates from the data type list. 


Find | RegEx (GREP) 


SMS Toit (PDU) | Pattem | Code 


(Dates zj 
Name Description = 
[E] Epoch Jan 1, 1900 Date search - Samsung Timesta... = 

Epoch Jan 1, 2001... Date search - Epoch Jan 1, 200... E 
[V] YYYYMMDDHHM... Date search 
BlackBerry Date search - Epoch Jan 1, 1970 | 
Epoch Jan 1, 1904 Date search - HFS+ Filesystem -| 
Search parameters 

E Dates range parameters 

Min date: 1/ 1/2000 B~ 

Maxdate: 9/11/2016 EM 


Options 
Sond deci 
ee, 
Colors: Text: a 
Background: 
[7] Find all instances: E 
[7] Show results comments (slower) 
Additional data: 
[7] Show before 
Offset 4 Length 
Show as Hex ~| [E] Contains 
Show after 
Offset 0 Length 
© 
Show as He 
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The filter box displays a list of date formats and plug-ins that can be used for date 
searches. 


3. Select the desired date formatls) and any plug-ins) that you want to use in the current 


search. 


What plug-ins are suitable depends on how the data is encoded, what 
type of device you are analyzing, and so on. If you select a plug-in that 
is not suitable, your search results may contain false results. For 


example, you can select BlackBerry if you are analyzing a BlackBerry 
device. If you are not analyzing a BlackBerry device, selecting 
BlackBerry may return results that are inaccurate. 


The Search parameters area appears. 
4. In the Min Date and Max Date fields, click J to select a date from the calendar. 
Tip: Set a short date range in order to reduce the number of given results. 


Tip: When searching for a particular date, set the Min Date and Max Date fields to a range 
of no more than 24 hours. 
5. In the Options area, set the desired search options: 

a. In the Search direction list, select the search direction. 

b. In the Search results window list, select New, Replace current, or Add to current, as 
desired. 

c. To set the Text and Background colors, click the color box, select the desired color, 
and click OK. 
The colors you set here are retained for the duration of this session. To change the 


default colors, set the colors in the Setting window. For more information, see Hex 


viewer [on page 432). 


Tip: To easily distinguish between the given results of each search performed, set 
different text and background colors for each search you run. 


d. Do one of the following: 
Select Find all instances to display all search results at the end of the process. 


Clear Find all instances to move through the found items one-by-one during the 
search [can also be done by pressing F3). 


e. Select Show results comments to display. 
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6. 


In the Additional data area, enhance your search capabilities by including a predefined 
number of characters before and/or after the searched value. This can help you locate 
specific results, or even limit the results to specific entities of the searched value. 
a. Select Show before to show the data immediately before what you are searching for. 
b. In the Offset box, enter the offset from the start of the search result from which to 
start including the additional data. 
c. In the Length box, enter the length of the additional data to include starting at the 
set offset point. For Show before, the Length cannot be longer than the Offset. 
d. In the Showas box, enter the data type for the additional data to be displayed (Hex, 
ASCII, Unicode, or 7Bit). 
e. Select Contains, and enter a string that the search result must contain in its 
additional data. 
f. Select Show after to show the data immediately after what you are searching for, 
and repeat steps 2-5. 
g. For the Show after option, set whether the offset and length of the additional data 
are calculated From result start or From result end. 


The additional data is logged to the Additional before and Additional after fields of search 
results. 


. Click Find. 


If you selected Find All Instances in the Options area, the results appear in the Search 
results tab in the analysis information tab (in the Hex view tab). 


If you did not select Find All Instances in the Options area, the next found instance Is 
highlighted in the Hex View tab. 


The Search results tab includes the following: 


>» # - The instance number. 

» Offset - The address offset of the data file in the Hex data. 

» Length - The string length in bytes. 

» Value - The string itself. 

» Source 

» More 

» Additional before - If you set additional data options in the Find window, displays the 
data located immediately before the result. 

» Additional after - If you set additional data options in the Find window, displays the 
data located immediately after the result. 


. To display a result instance in the Hex view tab, click on the desired row in the search 


results tab. 


To search for specific data and filter the search results, use the Find box in the search 
results tab. 


. To export the search results list, click the desired output in the Search tab toolbar: Excel 


=] HTML À, PDF fS, or XML àl. 
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12.1.4. Searching SIM ICCID numbers 


This search method enables you to search for SIM ICCID numbers in the Hex data. 


1. While viewing Hex data, click Q to open the Find window. 
2. Inthe Find tab, select SIM from the data type list. 


Find | RegEx (GREP) | SMS 7bit (PDU) | Pattem | Code 
Options 
= J Seven 
= <r Seach ets dow 
[¥] ICCID Search for ICCID Colors: Tet: E 
Background: 
[7] Find all instances: L 
[E] Show results comments (slower) 
Search parameters 
E Numbers sample configuration : 
Nie Additional data: 
; [2] Show before 
[V] Allow partial match 
Offset 4 Length 4 
Show as Hex 
[E] Show after 
Offset Length 4 
Show as H 
(ma ] 


3. Select ICCID. 
The Search parameters area appears. 


4. Inthe Numbers sample configuration area, enter the ICCID number in the Number box. 
5. Ifyou entered only part of the number, select Allow Partial Match. For example, entering 
the number 89972 and selecting this option, Physical Analyzer searches for ICCID 
numbers provided by a service provider. 
6. In the Options area, set the desired search options: 
a. Inthe Search direction list, select the search direction. 
b. In the Search results window list, select New, Replace current, or Add to current, as 
desired. 
c. To set the Text and Background colors, click the color box, select the desired color, 
and click OK. 
The colors you set here are retained for the duration of this session. To change the 
default colors, set the colors in the Setting window. For more information, see Hex- 
viewer [on page 432). 
Tip: To easily distinguish between the given results of each search performed, set 
different text and background colors for each search you run. 
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7. 


d. Do one of the following: 
Select Find all instances to display all search results at the end of the process 


Clear Find all instances to move through the found items one-by-one during the 
search [can also be done by pressing F3). 


e. Select Show results comments to display 

In the Additional data area, enhance your search capabilities by including a predefined 

number of characters before and/or after the searched value. This can help you locate 

specific results, or even limit the results to specific entities of the searched value. 

a. Select Show before to show the data immediately before what you are searching for. 

b. In the Offset box, enter the offset from the start of the search result from which to start 
including the additional data. 

c. Inthe Length box, enter the length of the additional data to include starting at the set 
offset point. For Show before, the Length cannot be longer than the Offset. 

d. In the Show as box, enter the data type for the additional data to be displayed (Hex, 
ASCII, Unicode, or 7Bit). 


e. Select Contains, and enter a string that the search result must contain in its additional 
data. 


f. Select Show after to show the data immediately after what you are searching for, and 
repeat steps 2-5. 

g. For the Show after option, set whether the offset and length of the additional data are 
calculated From result start or From result end. 


The additional data is logged to the Additional before and Additional after fields of search 
results. 


Click Find. 


If the Number field is left empty, the search results include all the 


numbers that match the ICCID format. 


If you selected Find All Instances in the Options area, the results appear in the Search 
results tab in the analysis information tab (in the Hex view tab). 


If you did not select Find All Instances in the Options area, the next found instance is 
highlighted in the Hex View tab. 
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The Search results tab includes the following: 


>» # - The instance number. 

» Offset - The address offset of the data file in the Hex data. 
» Length - The string length in bytes. 

» Value - The string itself. 

>» Source 

» More 


» Additional before - If you set additional data options in the Find window, displays the 
data located immediately before the result. 


>» Additional after - If you set additional data options in the Find window, displays the 
data located immediately after the result. 


9. To display a result instance in the Hex view tab, click on the desired row in the search 
results tab. 


10. To search for specific data and filter the search results, use the Find box in the search 
results tab. 


11. To export the search results list, click the desired output in the Search tab toolbar: Excel 
Bal, HTML A, PDF &@, or XML a. 


12.1.5. Searching SMS numbers 


Search for SMS numbers in the Hex data. 


1. While viewing Hex data, click Q to open the Find window. 
2. Inthe Find tab, select Numbers from the data type list. 


Find | RegEx (GREP) | SMS 7bit (PDU) | Pattem | Code | 


Options 
= J| Shanan: 
iia Description Search results window 
[V] Reverse nibbles n... Reverse nibble numbers search | Colors: Tet: E 
V| SMS PDU numbers SMS PDU numbers search 
Background: 
[7] Find all instances: LJ 
[E] Show results comments (slower) 
Search parameters 
E Numbers sample configuration r 
Nu : eee data: 
|] Show before 
E] Allow partial match 
Offset 4 Length 4 
E Numbers sample configuration 
Nibbles: Show as Hex 
Show after 
Offset 0 Lenath 4 
Show as H 


3. To perform a search of SMS PDU numbers, select SMS PDU numbers. 


The Search parameters area appears. 
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a. 


In the Number field, enter the search number. 


If the Number field is left empty, the search results include all the 


numbers that match the SMS Number format. 


b. 


If you entered only part of the number, select Allow Partial Match. 


4. Toa search for reversed nibbles, select Reverse nibbles numbers. 


Use this option when the data has been encoded to include reversed 


nibbles. 


The Search parameters area appears. 


» Inthe Nibbles field, enter the desired nibble. 


5. In the Options area, set the desired search options: 


a. 
b. 


€; 


In the Search direction list, select the search direction. 

In the Search results window list, select New, Replace current, or Add to current, as 
desired. 

To set the Text and Background colors, click the color box, select the desired color, 
and click OK. 

The colors you set here are retained for the duration of this session. To change the 
default colors, set the colors in the Setting window. For more information, see Hex- 


viewer [on page 432). 


Tip: To easily distinguish between the given results of each search performed, set 
different text and background colors for each search you run. 


Do one of the following: 
Select Find all instances to display all search results at the end of the process 


Clear Find all instances to move through the found items one-by-one during the 
search [can also be done by pressing F3). 


Select Show results comments to display 


6. In the Additional data area, enhance your search capabilities by including a predefined 
number of characters before and/or after the searched value. This can help you locate 
specific results, or even limit the results to specific entities of the searched value. 


a. Select Show before to show the data immediately before what you are searching for. 


b. In the Offset box, enter the offset from the start of the search result from which to start 


including the additional data. 
In the Length box, enter the length of the additional data to include starting at the set 
offset point. For Show before, the Length cannot be longer than the Offset. 


In the Show as box, enter the data type for the additional data to be displayed (Hex, 
ASCII, Unicode, or 7Bit). 
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e. Select Contains, and enter a string that the search result must contain in its additional 
data. 


f. Select Show after to show the data immediately after what you are searching for, and 
repeat steps 2-5. 

g. For the Show after option, set whether the offset and length of the additional data are 
calculated From result start or From result end. 


The additional data is logged to the Additional before and Additional after fields of search 
results. 


7. Click Find. 


If you selected Find All Instances in the Options area, the results appear in the Search 
results tab in the analysis information tab (in the Hex view tab). 


If you did not select Find All Instances in the Options area, the next found instance is 
highlighted in the Hex View tab. 


The Search results tab includes the following: 


>» # - The instance number. 

» Offset - The address offset of the data file in the Hex data. 
» Length - The string length in bytes. 

» Value - The string itself. 

>» Source 

» More 


» Additional before - If you set additional data options in the Find window, displays the 
data located immediately before the result. 


» Additional after - If you set additional data options in the Find window, displays the 
data located immediately after the result. 


8. To display a result instance in the Hex view tab, click on the desired row in the search 
results tab. 


9. To search for specific data and filter the search results, use the Find box in the search 
results tab. 


10. To export the search results list, click the desired output in the Search tab toolbar: Excel 
= HTML À, PDF &@, or XML al 


12.1.6. Searching for regular expressions (GREP) 


Search for regular expressions to (RegEx) in order to look for a specific string structure 
within the data. 


For example, the regular expression “[a-zA-Z0-9._%+-]+(@la-zA-Z0-9.-]+\.[A-Za-z]{2,4}", 
Physical Analyzer searches your data for all the email addresses that match the structure 
<string> (d<string>.<2 to 4 letters>. 


1. While viewing Hex data, click Q to open the Find window. 
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[Find_| RegEx (GREP) | SMS t (PDU) | Patiem | Code | 


Options 
| B Seah areston 
- Seach eats windon 
Colors: Text: 
a a 
= Background: C] 
Maximum result length: 50 X V| Find all instances: 
=e [E] Show results comments (slower) 
Ignore case [V] Multiline 
Library: 
Description RegEx (a) Additional data: 
|| Show before 
id 
Offset Length 4 
Show as He: 
Show after 
Offset Length 4 
Show as He: 
(ma ) 


In the RegEx (GREP) tab, enter the expression that you want to use in the search. 


Click to enter a regular expression code from a list of common codes. 


Click to save the current expression in the library list. 


E 
Click to clear the regular expression field. 


6. Set the Maximum result length value to filter only results that are up to the specified 


length. 


7. Select Ignore case to disregard the case in the search results. 
8. Select Multiline. 


9. To use a Saved expression from the library, click it in the Library area. 
. To export the current regular expression library to a *.rel file, click E 
. To load an exported regular expression from a *.rel file, click ia) 


2. To delete an expression from the library list, click EJ] 


In the Options area, set the desired search options: 


a. 
b. 


In the Search direction list, select the search direction. 

In the Search results window list, select New, Replace current, or Add to current, as 
desired. 

To set the Text and Background colors, click the color box, select the desired color, 
and click OK. 

The colors you set here are retained for the duration of this session. To change the 
default colors, set the colors in the Setting window. For more information, see Hex- 
viewer [on page 432). 

Tip: To easily distinguish between the given results of each search performed, set 
different text and background colors for each search you run. 
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d. Do one of the following: 
Select Find all instances to display all search results at the end of the process 


Clear Find all instances to move through the found items one-by-one during the 
search [can also be done by pressing F3). 


e. Select Show results comments to display 


14. In the Additional data area, enhance your search capabilities by including a predefined 
number of characters before and/or after the searched value. This can help you locate 
specific results, or even limit the results to specific entities of the searched value. 


a. Select Show before to show the data immediately before what you are searching for. 


b. Inthe Offset box, enter the offset from the start of the search result from which to start 
including the additional data. 


c. In the Length box, enter the length of the additional data to include starting at the set 
offset point. For Show before, the Length cannot be longer than the Offset. 


d. Inthe Showas box, enter the data type for the additional data to be displayed (Hex, 
ASCII, Unicode, or 7Bit). 


e. Select Contains, and enter a string that the search result must contain in its additional 
data. 


f. Select Show after to show the data immediately after what you are searching for, and 
repeat steps 2-5. 

g. For the Show after option, set whether the offset and length of the additional data are 
calculated From result start or From result end. 


The additional data is logged to the Additional before and Additional after fields of search 
results. 


15. Click Find. 


If you selected Find All Instances in the Options area, the results appear in the Search 
results tab in the analysis information tab (in the Hex view tab). 


If you did not select Find All Instances in the Options area, the next found instance Is 
highlighted in the Hex View tab. 


The Search results tab includes the following: 


>> # - The instance number. 

» Offset- The address offset of the data file in the Hex data. 
» Length - The string length in bytes. 

» Value - The string itself. 

»» Source 

» More 


» Additional before - If you set additional data options in the Find window, displays the 
data located immediately before the result. 


» Additional after - If you set additional data options in the Find window, displays the 
data located immediately after the result. 
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results tab. 


results tab. 


12.1.7. Searching SMS text strings 


. To display a result instance in the Hex view tab, click on the desired row in the search 
. To search for specific data and filter the search results, use the Find box in the search 


. To export the search results list, click the desired output in the Search tab toolbar: Excel 
Bal, HTML A, PDF fB, or XML a. 


This search method enables you to search for SMS text strings [7bit PDU) in the Hex data 


1. While viewing Hex data, click Q to open the Find window. 


2. Select the SMS 7Bit (PDU) tab. 


Find | RegEx (GREP) | SMS 7bit (PDU) | Pattem | Code 


Text options 

5 Letters only [E] Unique results only 

5 Numbers only [V] Allow symbols 

© Both [E] Show low match results 
Minimum length 11 
Type 


[E] Unicode [V] 7Bt |") 7Bit reversed 

E Advanced 

Maximum number of Upper/Lower case switches 
Maximum number of Letter/Digit/Symbol switches 
Minimum number of words 

Space required every N chars 


Maximum occurrences of the following characters 


oM- 8 use N: < 
Contains the following word/words divided by spaces 


Options 

Semn cin 

Sonim ino 

Colors: Text: | 
Background: E 


[V] Find all instances: 
[E] Show results comments (slower) 


Additional data: 
[C] Show before 


Offset 4 Length 
Show as He 
[T| Show after 
Offset 0 Length 
Show as He 

= 


3. In the Text Options area, set the following search parameters: 
Set the search type: Letters only, Numbers only, or Both. 


a. 
b. To show unique results, select Unique results only. 


c. To allow symbols in the search results, select Allow symbols. 


d. To show low match results, select Show low match results. 


e. To set the minimum number of characters in the results, set the Minimum length. 


In the Type area, select the search type: Unicode, 7Bit, 7Bit reversed. 


In the Advanced area, set the following, as applicable: 


» Maximum number of Upper/Lower case switches 


» Maximum number of Letter/Digit/Symbol switches 


>» Minimum number of words 


» Space required every N chars 


» Maximum occurrences of the following characters 


» Contains the following words divided by spaces. 
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6. In the Options area, set the desired search options: 
a. Inthe Search direction list, select the search direction. 


b. In the Search results window list, select New, Replace current, or Add to current, as 
desired. 

c. To set the Text and Background colors, click the color box, select the desired color, 
and click OK. 


The colors you set here are retained for the duration of this session. To change the 
default colors, set the colors in the Setting window. For more information, see Hex 


viewer (on page 432). 
Tip: To easily distinguish between the given results of each search performed, set 


different text and background colors for each search you run. 
d. Do one of the following: 
Select Find all instances to display all search results at the end of the process 


Clear Find all instances to move through the found items one-by-one during the 
search [can also be done by pressing F3). 
e. Select Show results comments to display 
7. In the Additional data area, enhance your search capabilities by including a predefined 
number of characters before and/or after the searched value. This can help you locate 
specific results, or even limit the results to specific entities of the searched value. 


a. Select Show before to show the data immediately before what you are searching for. 


b. In the Offset box, enter the offset from the start of the search result from which to start 
including the additional data. 


c. In the Length box, enter the length of the additional data to include starting at the set 
offset point. For Show before, the Length cannot be longer than the Offset. 


d. In the Showas box, enter the data type for the additional data to be displayed (Hex, 
ASCII, Unicode, or 7Bit). 

e. Select Contains, and enter a string that the search result must contain in its additional 
data. 


f. Select Show after to show the data immediately after what you are searching for, and 
repeat steps 2-5. 


g. For the Show after option, set whether the offset and length of the additional data are 
calculated From result start or From result end. 


The additional data is logged to the Additional before and Additional after fields of search 
results. 


8. Click Find. 


If you selected Find All Instances in the Options area, the results appear in the Search 
results tab in the analysis information tab (in the Hex view tab). 


If you did not select Find All Instances in the Options area, the next found instance is 
highlighted in the Hex View tab. 


The Search results tab includes the following: 
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# - The instance number. 
Offset - The address offset of the data file in the Hex data. 
Length - The string length in bytes. 


Value - The string itself. 
Source 
More 


Additional before - If you set additional data options in the Find window, displays the 
data located immediately before the result. 


Additional after - If you set additional data options in the Find window, displays the data 


located immediately after the result. 


9. To display a result instance in the Hex view tab, click on the desired row in the search 


results tab. 


10. To search for specific data and filter the search results, use the Find box in the search 
results tab. 


11. To export the search results list, click the desired output in the Search tab toolbar: Excel 


=] HTML À, PDF ®, or XML 2. 


12.1.8. Searching for patterns 


When navigating within a large memory structure, the search for patterns to locate any 


content that is textual in nature. 


1. While viewing Hex data, click Q to open the Find window. 


2 9 


elect the Pattern tab. 
[Find _| RegEx (GREP) | SMS 7bit (PDU) | Pattem | Code 
Text options 
© Letters only [E] Unique results only 
© Numbers only [7] Allow symbols 
© Both [E] Show low match results 
Minimum length 1 
Maximum length 9999 
Type 
ASCII Unicode 7Bt [Z] 7Bit reversed 


E Advanced 
Maximum number of Upper/Lower case switches 


Maximum number of Letter/Digit/Symbol switches 
Minimum number of words 

Space required every N chars 

Maximum occurrences of the following characters 
oM 8 use N: 

Contains the following word/words divided by spaces 


Options 


Seach ton 
Seah resuts windon: 


Colors: Text: 


Background: 
[V] Find all instances: 


Show results comments (slower) 


Additional data: 
(| Show before 
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3. In the Text Options area, set the following search parameters: 
a. Set the search type: Letters only, Numbers only, or Both. 
b. To show unique results, select Unique results only. 
c. To allow symbols in the search results, select Allow symbols. 
d. To show low match results, select Show low match results. 
4. Inthe Minimal length and Maximal length fields, set the pattern length range. 


This option enables you to filter the results according to the searched patterns. 


5. In the Type area, select the search type: ASCII, Unicode, 7Bit and/or 7Bit reversed. 
6. In the Advanced area, set the following, as applicable: 

» Maximum number of Upper/Lower case switches 

» Maximum number of Letter/Digit/Symbol switches 

»» Minimum number of words 

» Space required every N chars 

» Maximum occurrences of the following characters 

» Contains the following words divided by spaces. 
7. In the Options area, set the desired search options: 

a. In the Search direction list, select the search direction. 

b. In the Search results window list, select New, Replace current, or Add to current, as 

desired. 


c. To set the Text and Background colors, click the color box, select the desired color, 
and click OK. 


The colors you set here are retained for the duration of this session. To change the 
default colors, set the colors in the Setting window. For more information, see Hex 


viewer [on page 432). 


Tip: To easily distinguish between the given results of each search performed, set 
different text and background colors for each search you run. 


d. Do one of the following: 
Select Find all instances to display all search results at the end of the process 


Clear Find all instances to move through the found items one-by-one during the 
search [can also be done by pressing F3). 


e. Select Show results comments to display 


8. In the Additional data area, enhance your search capabilities by including a predefined 
number of characters before and/or after the searched value. This can help you locate 
specific results, or even limit the results to specific entities of the searched value. 


a. Select Show before to show the data immediately before what you are searching for. 


b. Inthe Offset box, enter the offset from the start of the search result from which to start 
including the additional data. 


c. In the Length box, enter the length of the additional data to include starting at the set 
offset point. For Show before, the Length cannot be longer than the Offset. 
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d. In the Showas box, enter the data type for the additional data to be displayed (Hex, 
ASCII, Unicode, or 7Bit). 


e. Select Contains, and enter a string that the search result must contain in its additional 
data. 


f. Select Show after to show the data immediately after what you are searching for, and 
repeat steps 2-5. 

g. For the Show after option, set whether the offset and length of the additional data are 
calculated From result start or From result end. 


The additional data is logged to the Additional before and Additional after fields of search 
results. 


Click Find. 


Pattern search can be used to locate all possible 7 bit SMS text results. 
To minimize the number of false positive results set the Minimal 


Length value to a higher number. 


If you selected Find All Instances in the Options area, the results appear in the Search 
results tab in the analysis information tab (in the Hex view tab). 


If you did not select Find All Instances in the Options area, the next found instance is 
highlighted in the Hex View tab. 


The Search results tab includes the following: 


» # - The instance number. 

» Offset - The address offset of the data file in the Hex data. 

» Length - The string length in bytes. 

» Value - The string itself. 

» Source 

» More 

» Additional before - If you set additional data options in the Find window, displays the 
data located immediately before the result. 

» Additional after - If you set additional data options in the Find window, displays the data 
located immediately after the result. 


. To display a result instance in the Hex view tab, click on the desired row in the search 


results tab. 


. To search for specific data and filter the search results, use the Find box in the search 


results tab. 
To export the search results list, click the desired output in the Search tab toolbar: Excel 
= HTML À, PDF &@, or XML ah. 
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12.1.9. Searching for codes and passwords 


Search large memory structures for user codes and passwords. 


1. While viewing Hex data, click Q to open the Find window. 
2. Select the Code tab. 


[Find _| RegEx (GREP) | SMS Zi (PDU) | Pattem | Code | 


Text options ee z 

© Letters only [V] Unique results only rection: Down . 
@ Numbers only Search results window: New m 
iraa Colors: Text: 

Minimum length 4 + cco E 
Maximum length 4 + [V] Find all instances: 


Show results comments (slower) 


Additional data: 
| Show before 


Offset 4 Length 4 
Show as H 
Show after 
Offset Length 
Show as H 


3. In the Text Options area, set the following search parameters: 
a. Set the search type: Letters only, Numbers only, or Both. 
b. To show unique results, select Unique results only. 
4. Inthe Minimal length and Maximal length fields, set the pattern length range. 


This option enables you to filter the results according to the searched patterns. 


5. In the Options area, set the desired search options: 

a. Inthe Search direction list, select the search direction. 

b. In the Search results window list, select New, Replace current, or Add to current, as 
desired. 

c. To set the Text and Background colors, click the color box, select the desired color, 
and click OK. 
The colors you set here are retained for the duration of this session. To change the 
default colors, set the colors in the Setting window. For more information, see Hex- 


viewer [on page 432). 


Tip: To easily distinguish between the given results of each search performed, set 
different text and background colors for each search you run. 


d. Do one of the following: 
Select Find all instances to display all search results at the end of the process 


Clear Find all instances to move through the found items one-by-one during the 
search [can also be done by pressing F3). 


e. Select Show results comments to display 
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6. 


In the Additional data area, enhance your search capabilities by including a predefined 

number of characters before and/or after the searched value. This can help you locate 

specific results, or even limit the results to specific entities of the searched value. 

a. Select Show before to show the data immediately before what you are searching for. 

b. In the Offset box, enter the offset from the start of the search result from which to start 
including the additional data. 

c. In the Length box, enter the length of the additional data to include starting at the set 
offset point. For Show before, the Length cannot be longer than the Offset. 

d. In the Show as box, enter the data type for the additional data to be displayed (Hex, 
ASCII, Unicode, or 7Bit). 

e. Select Contains, and enter a string that the search result must contain in its additional 
data. 

f. Select Show after to show the data immediately after what you are searching for, and 
repeat steps 2-5. 

g. For the Show after option, set whether the offset and length of the additional data are 
calculated From result start or From result end. 

The additional data is logged to the Additional before and Additional after fields of search 

results. 


. Click Find. 


If you selected Find All Instances in the Options area, the results appear in the Search 
results tab in the analysis information tab (in the Hex view tab). 


If you did not select Find All Instances in the Options area, the next found instance Is 
highlighted in the Hex View tab. 


The Search results tab includes the following: 


» # - The instance number. 

» Offset - The address offset of the data file in the Hex data. 

» Length - The string length in bytes. 

» Value - The string itself. 

» Source 

» More 

» Additional before - If you set additional data options in the Find window, displays the 
data located immediately before the result. 

» Additional after - If you set additional data options in the Find window, displays the data 
located immediately after the result. 


. To display a result instance in the Hex view tab, click on the desired row In the search 


results tab. 


. To search for specific data and filter the search results, use the Find box in the search 


results tab. 


. To export the search results list, click the desired output in the Search tab toolbar: Excel 


=] HTML À, PDF fE, or XML àl. 
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12.2. Browsing the hex extraction 


» Double-click on a binary hex extraction in the project tree to display its content in a Hex 
view tab in the data display area. 


yp You can also click the image links in the Extraction Log area at the 


bottom of the Extraction Summary tab to access the Hex extraction. 


12.3. Using an offset to jump to a different location in the file 


Scan the Hex data by setting an offset value by which to jump through the data. 


To move from a set position: 

1. Click ®. 

2. Select Decimal or Hex and in the Offset box, enter the offset value in the relevant format. 

3. In the From area, set the reference point from which to set the offset (Beginning of file, 
Current position, or End of file). 

4. Click Go. 


The cursor moves to the offset location. 


To move from the current location: 


1. Click on a specific location in the Hex data. 
2. In the offset value box in the toolbar, enter the desired offset value in decimal format (20) 
or Hex value format (0x20), or select one of the previously entered values from the list. 


Type + or - before the value to calculate the offset from the current 


position. 


3. Do one of the following: 
» Click $ to jump backwards through the Hex data according to the set value. 
» Click = to jump forwards through the Hex data according to the set value. 


12.4. Working with Hex tags 


A Hex tag is a quick reference pointer you can create on Hex data. 


The tags you create are managed in the Hex Tags tree item. The number of Hex tags in the 
project is shown in brackets next to the Hex Tags tree item. 
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» Inthe project tree, double-click Hex Tags to list the tags in a tab in the data display 
area. 


» To print or export the Hex tags list, click the desired output in the Hex Tags tab 
toolbar: Excel B, HTML À, PDF fā, or XML à. 


12.4.1. Adding a Hex tag 


1. While viewing Hex data, do one of the following: 
>» In the Hex View tab toolbar, click 7. 
» To bookmark a specific segment in the Hex data, highlight the section that you want to 
bookmark, and then click @ in the Hex View tab toolbar. 


The Add tag dialog box is displayed. 


Ẹ 
ə 


4 Show as 


CE 


Address 182 Base Decimal KA 


2. In the Name box, enter a name for the Hex tag. 
3. In the Description box, enter a description for the Hex tag. 
4. Ifyou did not highlight an area in the Hex, in the Location area, do the following: 
a. Select the desired unit for the address, Decimal or Hex, from the Base list. 
b. In the Address box, enter the address of the start point (offset) of the data you want to 
tag. 
c. In the Length box, enter the length of the data you want to tag. 
5. In the Colors area, set the Background and Text colors for the tag. 
6. Click OK. 


The new Hex tag is saved and displayed in the Hex tags tab. 


The marked segment is highlighted in the chosen colors. Details about the Hex tag 
appear in the results window. 


Each Hex tag displays the following information: 
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» Offset- The address offset of the bookmark paragraph in the Hex data. 
» Length - The bookmarked data segment length. 


» Description - The bookmark name. 
7. Click on a Hex tag item in the Hex tag list to display it in Hex view. 


12.4.2. Editing a Hex tag 
1. In the Hex data tab, click the Tag tab. The following tab is displayed. 


ource Offset Length Name Notes 
fbackupab 44 31 Tagi 


EB 06 0A OE 87 2C F2 11 C7 88 DD FD F7 C8 4E 5C 04 48 82 A0 08 FA D3 48 57 D2 95 86 6F 1E 1E 


Values Tags (1) Highlights [0 results] 


2. Click 7 to edit an existing tag. The Add tag window appears. 
3. Change the tag as desired, and click OK. 


4. To delete a tag, click x 


12.5. Decoding raw data 

Select segments of the Hex data and decode them to a variety of encoding types on the fly. 
Physical Analyzer can decode Hex data to 8 Bit, 16 Bit, 32 Bit, 64 Bit, Strings, Date & Time, 
Binary, and Numbers. 


To decode segments of Hex data: 

1. In the Hex View tab, select the segment of data that you want to decode. 
2. In the Values tab at the bottom of the Hex view tab, scroll to the desired encoding, then 
click Œ to expand the display. 
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Values 


es m 


E 32Bit 
E Little endian 
Signed 
Unsigned 
E Big endian 
Signed 
Unsigned 
Float 
E 64Bit 
E Little endian 
E Big endian 
Double 
Strings 
E Date & Time 
E Little endian 
Unix time 


E Big endian 
Unix time 
File time 

E Epoch 


Epoch Jan1, 
Epoch Jan1, 
Epoch Jan1, 
Epoch Jan1, 


Values 
— 


1900 
2001 
1904 
1980 


Epoch Jan 6, 1980 
Epoch Jan 1, 1970 (Android) 

E Generic 

E Manufacturer specific 

E Binary 


Tags 


Epoch Jan 1, 2001 (Double) 


Highlights 


536870912 
536870912 


32 


1.084202E-19 


6.32301701807768E+233 


1/5/1987 6:48:32 PM(UTC+0) 


1/1/1970 12:00:32 AM(UTC+0) 
1/1/1601 3:51:55 AM(UTC+0) 


1/1/2001 12:00:00 AM 
1/5/1917 6:48:32 PM 
1/1/2001 12:00:32 AM 
1/1/1904 12:00:32 AM 
1/4/1997 6:48:32 PM 
1/9/1997 6:48:32 PM 
1/1/1970 12:35:23 AM 


Some encoding options have sub-decoding categories. 


Click *S or BB to expand or collapse all the encoding types. 


To decode a different segment of data, select another segment in the Hex View tab. 


The results in the Values tab change to reflect the selected segment. 


12.6. Viewing the hex data information 


Display the information of bookmarked segments and search results when you point to them 


in the Hex View tab. 


1. In the Hex View tab toolbar, click g 


2. Position the mouse over bookmarked information or search results in the Hex. 


The floating information frame appears. 


) 
) 
) 
) 


The following information includes: 


» Links (pointers) to analyzed data items such as files and folders in the project tree. 
» Search results associated with the pointed data. 


HexBookmark Content: keychains 


HexBookmark.Content: keychains 


3. To edit the bookmark, click El. 
4. To copy the data, click ®. 


The data is copied to the clipboard. 
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5. To pin the information frame open, click +». 


The information frame remains open and displays the information for the last segment 
that you point to. The information displayed in the frame is automatically updated when 
you point to a different bookmarked segment or search result. 


6. To close the information frame, click X. 


12.7. Locating specific data types in the Hex 


The Highlights tab presents analyzed data locations within the Hex data, enabling you find 
the exact location(s) of a particular type of analyzed data in the Hex data. 


1. Access the Highlights tab at the bottom section of the Hex view. 
2. In the project tree, select one of the Analyzed Data folders, for example, Contacts. 


The selected folder is highlighted in the Hex View tab; the Highlights tab lists the chunks 
in the selected folder. 


Highlights [0 results] 


Value 

Contact.Name: Echo / Sound Test Se ri obil lications/EOEC92AC-1C3 
Contact.UserlD.Value: echo123 rin obil lications/EQEC92AC-1C3 
C 
C 


ontact. WebAddress.Value: http://www.skype.com/..._/prival obil ications/E0EC92AC-1C3 
ontact.Name: Noga Gal /private/var/mobile/Applications/E0EC92AC-1C3 


Tags Highlights [0 results] 
— 


Length: hO3CEG Offset: 0x0 [Selection: 0x0 


3. To export the Highlights list, click the desired output in the Search tab toolbar: Excel E, 
HTML #), PDF fā, or XML 2. 
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13. Camera and screenshot evidence 


Cellebrite UFED together with the UFED camera enables you to collect evidence by taking 
pictures or videos of a device. A screenshot feature captures internal screenshots directly 
from a BlackBerry, Android or 10S device. These options can be useful as complimentary 
evidence or in Instances when data cannot be extracted from a device. This evidence can be 
displayed in Physical Analyzer together with any notes, categories and bookmarks, which 
were added by the examiner. For information on capturing camera and screenshot evidence, 
refer to the Cellebrite UFED 4PC or Cellebrite UFED Touch user manuals. 


To import camera or screenshot evidence: 
» Click the Evidence.ufd file. 


The Camera Evidence (pictures and videos) or Phone Evidence {screenshots} is imported 
into Physical Analyzer as a new project. The evidence includes Phone Evidence or Camera 
Evidence divided by category, as well as entity bookmarks and notes that were added 
during the extraction. 


To import camera and screenshot evidence together with the extracted data: 
» Click the EvidenceCollection.ufdx file. 


The Camera Evidence [pictures and videos), Phone Evidence [screenshots] and the 
extracted data are imported into Physical Analyzer as a single project. The evidence 
includes Phone Evidence and Camera evidence, as well as categories, entity bookmarks 
and notes that were added during the extraction. 


Drag-and-drop the EvidenceCollection.ufdx file into Physical Analyzer 
to open multiple extractions, which were performed for a particular 
device. That is, all extractions in the folder will be opened. Each 
extraction (.ufd file] in the folder can also be opened separately. An 
example folder with multiple extractions and a UFDX file is displayed 
next. 


Name 


A CaptureScreenshots 2014_08_27 (001) - Samsung GSM Samsung GT-i5510M Galaxy 
A FileSystemDump Samsung GSM GT-i5510M Galaxy 2014_08_27 (001) 

A Physical Samsung GSM GT-i5510M Galaxy 2014_08_27 (001) 

JL UFED Samsung GSM GT-i5510M Galaxy 356210042118450 2014 08_27 (001) 


“| EvidenceCollection.ufdx 
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14. Advanced decoding 


This section explains the following: 


Managing chains (below) 
Plug-ins [on page 416) 
Using the Python shell [on page 418) 


Exporting the file system (on page 419) 


Using the Android unlock pattern carver plug-in (on page 419) 


Android unlock password carver plug-in (on page 420) 


These feature are available with Physical Analyzer only. 


14.1. Managing chains 


A chain is a set of plug-ins grouped together, which is used to process the extracted data of 
a device. Each device in the supported devices list of the application has a predefined 
parsing chain assigned to it. 


As part of its building blocks, a chain can also include other predefined chains. 


Use the Chain manager to: 

» Manage and edit existing chains 
» Create new chains 

» Assign chains to devices 

To manage application chains: 


1. Do one of the following: 


» Inthe Plug-ins menu, select Chain manager. 


» Click 8”. The Chain manager window appears. 
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Chain Manager Quick Filter Q 


( cose | 


The Chains list on the left enables you to filter the displayed chains list. 


Click My Chains to display your custom chains. 
Click All Chains to display a list of all the predefined chains. 
Use the Quick Filter box at the top left of the window to filter the displayed list of chains. 


To display the chains assigned to a specific device, from the Devices section of the list, 
select one of the following: 


R ee GS 


>» All Devices to display a list of all the predefined devices. 


» A manufacturer name to display a list of the predefined devices of the selected 
manufacturer. 


6. Double-click ona device to display its chains window. 
The chains window of the device displays at least one chain that was assigned to it. 


Chains management is separated to two sections: 
» Cellebrite default chains 


>» User customized chains 


The User customized chains are saved as a TOML file in the user's “App Data” folder and will 
not be overwritten when upgrading Physical Analyzer version. 
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serChainAndPlugins - a X 


Share View eo 
| « AppData > Roaming > Cellebrite Mobile Synchronization > UFED Physical Analyzer > UserChainAndPlugins vlG | Search UserChainAndPlugins 9 
A Name . Date modified Type Size 
C] UserChainsDatabase.tom! 1/11/2021 12:26 PM TOML File OKB 


When editing or creating a chain, the TOML file will be updated once the Physical Analyzer 
instance will be closed. It is therefore recommended to have only one Physical Analyzer 
instance open when updating/customizing user chains. Close the Physical Analyzer instance 
once chain customization is complete to apply the changes. 


Having multiple Physical Analyzer instances open can create a situation 
with different state of updates to the user chains file. This can override the 
user's intended update. 


If user's TOML file will be corrupted (manually edited incorrectly or 
corrupted by an external process) Physical Analyzer will override the 
user's chain file when loading to a clean state. 


14.1.1. Constructing a new chain 


1. Inthe Chain manager window, click New Chain. 
2. Click New Chain. The New Chain window appears. 
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New Chain 2 


| Description | 


AgereCalllogs 
Reads call logs from the Samsung Agere family of phones. 


$ AgerePhoneBook 


Decodes contacts from the Samsung Agere family of phones 
f AgereRead 
codes the proprietary file system of the Samsung Agere phone family 


odes SMS from the Samsung Agere family of phones 


Generates the Analytics section information 
$ Android Apps Japanese 


Decodes Japanese apps for Android devices 


©» Android Databases 


Decodes user-data and 3rd party application databases for Android devices 


Si» Android Databases Logical 


Decodes user-data and 3rd party application databases for Android devices (Logical extraction) 


$ Android Databases Unallocated Carving 
carnes and narcec salite nages from unallocated area meant for use only in dumne 


Click New Chain at the top of the window, and enter a name for the chain. 
In the Description box, enter a short description for the chain [optional]. 
From the Component Library, select a components category: 

» Plugins - Specific plug-ins. 

» Chains - Specific predefined chains. 

» Devices - Entire chain of specific plug-ins. 


Devices and Chains are added to the chain as a chain component. 


6. To add a component to your chain list, click + next to the component. 

7. To remove a component from the chain list, click ~ at the right of the component item, 
then click Yes to approve. 

8. To edit the parameters of a plug-in or chain, select it from the chain components list [on 
the left) and set the options displayed. 


To return to the Component Library display and continue adding more 


plug-ins and chains, click Add Chain/Plugin. 


9. When finished, click Save. The new chain is added to your My Chains list. 


14.1.2. Editing an existing chain 


To edit chains that you have created: 


2. In the Chain manager My Chains list, double-click the chain you wish to edit. 
3. Click Add Chain/Plugin to display the Component Library. 
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New Chain 2 | & Edit Decoding methods (0) | 


Description 


Quick Filter 


I 
Reads call logs from the Samsung Agere family of phones. 


$ AgerePhoneBook 


Decodes contacts from the Samsung Agere family of phones 
$ AgereReader 

Decodes the proprietary file system of the Samsung Agere phone family 
Š AgereSMS 

Decodes SMS from the Samsung Agere family of phones 
> Analytics 

Generates the Analytics section information 
Š Android Databases 

Decodes user-data and 3rd party application databases for Android devices 
$ Android Databases (legacy) 

Decodes user-data and 3rd party application databases for Android devices 
© Android Databases Unallocated Carving 


carves and parses sqlite pages from unallocated area, meant for use only in dumps with no filesystem 


= Android Disk Encryption Remover _ 


{. saveaAs.] [save] [| Cane | 


To add a component to your chain list, click + next to the component. 


5. To remove a component from the chain list, click = at the right of the component item, 
then click Yes to approve. 


6. To edit the parameters of a plug-in or chain, select it from the chain components list [on 
the left) and set the options displayed. 


New Chain 2 & Edit Decoding methods (0) 


E] Decodes the proprietary file system of the Samsung Agere phone family 


RangeName 


[_ saveas || Save |{ Cancel | 


To return to the Component Library display and continue adding more 


plug-ins and chains, click Add Chain/Plugin. 
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7. When finished, click Save, or Save As to save the edited chain as a new chain. 


8. lf you selected Save As, enter a name for the new chain and click Save. 


Changes made to factory predefined locked chains can only be saved as 


a new chain. 


14.1.3. Attaching devices to a chain 


You can attach devices to chains you have created, or modify device chains and save them as 


a copy. 
1. Double-click the chain to which you want to attach a device. 


2. Click Edit Devices. The following window appears. 


© Attach Device | 


Devices For Chain 


In the Devices For Chain window, click Attach Device. 


3. 
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Select Device Quick Filter Q 


4. In The Select Device window, select the device you would like to attach to the chain and 
click Select. 


5. Repeat steps 3 and 4 to add more devices. 


6. When you have finished attaching the devices, click Save. 


14.1.4. Setting the default device chain 


1. In the Chain manager window, use the Devices list to locate the device you wish to modify. 


2. Double-click on the device to display its chains window. The following window appears. 
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FileSystem - iPhoneFS 


3. If the chains list of the device contains more than one chain, click » to set it as the default 
chain of the device. 


4. Click Close to close the device chains window. 


14.1.5. Detaching devices from a chain 


1. Double-click on the chain from which you wish to detach a device. 


2. Click Edit Devices at the top right of the chain window. The following window appears. 
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Devices For Chain @ Attach Device | 


3. Click * at the right of every device you wish to detach from the chain. 
4. Click Close. 


5. Click Cancel to close the chain window. 


14.1.6. Removing a chain 


You can remove chains from the My Chains list only. 
1. In the Chain manager window, select My Chains. 


2. Click X at the right of the chain. 
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14.1.7. Chain descriptions 


The following table lists se 


Chain name 


Android Generic 

Android Logical with Content 
Android Samsung Nexus 
AndroidADB Backup 
AndroidContent 


AndroidDD 
AndroidFS 


AndroidFSR 


AndroidFSR JTAG 


AndroidiDen 


AndroidMotorolaYaffs 


AndroidMTK MMC 


AndroidMTK NAND 


AndroidNvidia 
AndroidSamsungFAT 
AndroidXSR 
AndroidXSR JTAG 


BlackBerry Filesystem 


Content 
BlackBerry Physical 


BlackBerry10 Backup 


BlackBerry10 Content 


lected UFED device chains and descriptions. 
Decodes generic chains for Android devices. 

Decodes content for Android logical extractions. 
Decodes Samsung Nexus devices. 

Decodes the Android ADB backup file. 

Decodes content for Android file systems. 


Decodes certain types of Android devices using the metadata from the extraction. 


Decodes different file systems on Android. This is part of Motorola Android or 


AndroidDD chains. 
Decodes Android devices with the FSR flash translation layer. 


Decodes JTAG extractions of Android phones with the FSR flash translation 


layer. 
Decodes Motorola iDen with Android operating system physical extractions. 
Decodes Motorola Android device (AndroidDD) extractions. 


Decodes MMC extractions of MTK Android devices. 


Decodes NAND extractions of MTK Android devices. 

Decodes Android devices with an Nvidia chipset. 

Decodes various Samsung Android phones with FAT file systems. 
Decodes Android devices with the XSR flash translation layer. 


Decodes JTAG extractions of Android phones with the XSR FTL. 


Decodes data from BlackBerry file systems. 


Decoding BlackBerry physical and/or file system extractions. 


Decodes BlackBerry10 bbb Backup files. 


Decodes content from BlackBerry10 devices. 
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Chain name 


BlackBerry10 Physical 


BlackBerryBackup 
BlackBerrylPD 
CasioC 700Content 
Garmin 

Generic FAT 

HTC Generic JTAG 
iCloudBackup 
Infineon V2 
iPhone Content 


iPhone Databases Logical 


iPhone Logical Backup 


iPhoneBackup 
iPhoneBackupLogical 


iPhoneFS 


iPhonePhysical 
Kyocera $2300 Content 


LG Qualcomm JTAG with 


Content 


Mass Storage Device 


Filesystems 
Mio 
Motorola Android 


MTK Generic 


Navitel 
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Phone Logical with Content 


Decodes the partitions and file system. 

Decodes BlackBerry backup extractions. 

Decodes BlackBerry backup devices using Cellebrite’s default chain. 
Decodes models for the Casio c7X1 series. 

Decodes GPS data from Garmin devices. 

Decodes FAT (file allocation table] system. 

Decodes the extraction in all supported methods for HTC devices. 
Decodes data from Apple iCloud backup. 

Decodes data from Infineon devices. 

Decodes content for iPhones. 

Decodes iPhone content for logical extractions. 

Decodes iPhone logical report extractions with databases. 
Decodes iPhone logical report extractions. 

Decodes data from iPhone backup. 

Decodes data from iPhone backups for logical extractions. 
Decodes iPhone file systems and content. 

Decodes Physical iPhone extractions. 


Decodes Kyocera S2300 SMS. 


Decodes file system and content from JTAG extractions of LG Qualcomm 


devices. 


Decodes standard file systems from physical mass storage device extractions. 


Decodes data from Mio devices. 
Decodes Motorola Android devices. 


Decodes data from MTK devices. 


Decodes data from Navitel GPS devices. 


Chain name 


Nokia Content 


Nokia FS 


Nokia Physical with Content 


Nokia Predef Content 


Nokia Predef XSR 


echCdm8999Contents 
QCAndroid 

QCAndroid JTAG 

Qualcomm EFS ZTE with SMS 


Qualcomm Physical JTAG 


Qualcomm Winmobile 


Report 
Report with ADB Backup 


Samsung Generic JTAG 


Samsung MCUv2 - No MMS, 
Phonebook 

Samsung MCUv3 Content 
Samsung MCUv3 Physical 
Samsung MCUv3 

Samsung Non Android 
Content 


Samsung Qualcomm JTAG 


with Content 


Samsung Qualcomm with 


Content 


Decodes all Nokia content. 

Decodes Nokia file systems. 

Decodes physical extractions of Nokia devices. 

Decodes content of Nokia Predef devices. 

Decodes non Symbian Nokia BB5 physical extractions. 

Decodes SMS, MMS and call logs for the Pantech CDM8999 device. 
Decodes Qualcomm Android physical extractions. 

Decodes JTAG extractions of Qualcomm Android devices. 

Decodes raw EFS and ZTE SMS. 


Decodes JTAG extraction of Qualcomm devices. 


Decodes the flash translation layer of LG Windows mobile and extracts files and 


SMS from the file system. 
Decodes reports into Physical Analyzer. 
Decodes logical extractions and ADB Backup on Android devices. 


Decodes the extraction in all supported methods for Samsung devices. 


Decodes MCUv2 devices excluding MMS and phonebook. 


Decodes content from MCUv3 file system. 
Decodes the file system from MCUv3 extractions. 


Decodes a file system from MCUv3 extractions. 


Decodes content of Samsung devices that are not running Android operating 


systems. 


Decodes file system and content from JTAG extractions of Samsung Qualcomm 


devices. 


Decodes file system and content from Samsung Qualcomm devices. 
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Chain name 


Samsung Qualcomm 


with SMS 


Sanyo Qualcomm CDMA 
Physical 


Sanyo Qualcomm JTAG with 


Content 
SIM Card FS 
Symbian databases 


Symbian Physical 
Symbian XSR JTAG 


UMX content 


WebOS 
Windows Mobile XSR JTAG 


Windows Phone 8 
WindowsPhone7 
WindowsPhone8 JTAG 


ZTE SMS 


14.2. Plug-ins 


Decodes file system and SMS from Samsung Qualcomm devices. 


Decodes the flash translation layer file systems and content of Sanyo CDMA 


devices with a Qualcomm chip. 


Decodes content from JTAG extractions of Sanyo CDMA devices with a 


Qualcomm chip. 
Decodes content from file system extractions of SIM cards. 
Decodes content databases for Nokia Symbian devices. 


Decodes the flash translation layer and a FAT partition using Symbian. 


Decodes JTAG extractions of Symbian phones with the XSR flash translation 


layer. 
Decodes content from UMX devices. 
Decodes file systems for Web operating system devices (Palm). 


Decodes JTAG extractions of Windows mobile devices with the XSR flash 


ranslation layer. 
Decodes extractions of Windows Phone 8 devices. 
Decodes extractions of Windows Phone 7 devices. 


Decodes JTAG extractions of Windows Phone 8 devices. 


Decodes SMS from of ZTE feature devices. 


The Plug-ins mechanism is an API that allows users to expand the abilities of the application 
by adding plug-ins provided by Cellebrite, or custom tailored plug-ins written using Python. 


14.2.1. Managing plug-ins 


The Add/Remove Plugins window enables you to manage the installed plug-ins. 


1. Click @. The following window appears. 
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Drag a plugin file into the box to install. 


Name 


Show builtin plug-ins 
Automatically run the added plugin 


2. To display all the installed plug-ins, including the built-in plug-ins that cannot be 
removed, select Show built-in plug-ins. 


Drag a plugin file into the box to install. 


Name 

S AgereCalllogs 

1P AgerePhoneBook 

p AgereReader 

Sp AgereSMS 

oRp Analytics 

iP Android Databases 

H Android Databases (legacy) 

i} Android Databases Unallocated Ca... 
©? Android Disk Encryption Remover 

E Android Samsung Nexus Partitions 
SP Android System Recovery Backup 

i Android WhatsApp StandAlone Plu... 
> Android Whatsapp with Provided Key Cellebrite 
p AndroidADBBackup 

i AndroidDatabases UnallocatedCarv.... 
©» Android FSG 

Show builtin plugins 
Automatically run the added plugin 


Perform the following tasks in the Add/Remove Plugins window: 


3. To install additional plug-ins, drag them to the Add/Remove Plugins window. 
4. To extract a copy of an installed plug-in, select the plug-in and click Extract Plugin. 


5. To remove an installed plug-in, select the plug-in and click Uninstall. 


You cannot extract or uninstall a built-in plug-in of the application. 


6. To display the plug-in status, double-click the plug-in. 


The Plug-in Status dialog displays the status of the plug-in, which can be either signed or 
unsigned. 


A signed plug-in is a plug-in that was approved and signed by Cellebrite. 
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14.2.2. Running a specific plug-in 


1. Run an individual plug-in on your project. 


2. In the Plug-ins menu, select Run plug-in. The following window appears. 


Select a plugin to run from the list below. 


Name 

Sp AgereCalllogs 

p AgerePhoneBook 

p AgereReader 

Sp AgereSMS 

T Analytics 

Sp Android Databases 

$> Android Databases (legacy) 

$p Android Databases Unallocated Ca... 
Sp Android Disk Encryption Remover 
TF Android Samsung Nexus Partitions 
S Android System Recovery Backup 
S Android WhatsApp StandAlone Plu... 
S Android Whatsapp with Provided Key 
$ AndroidADBBackup 

Sp AndroidDatabases UnallocatedCarv.... 
©» AndroidF SG 

Sp AndroidMD 

“> AndroidUnlock Password 

«| 


3. Select the desired plug-in from the list of plug-ins, and click Run. 


14.3. Using the Python shell 


The built-in Python shell enables you to run customized decoding and analysis using Python 
commands. 


To open the Python shell window, do one of the following: 
» In the Python menu, select Python shell. 


» Click. The following window appears. 
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Active Project: Multi-project 


Restart Shell 


ct: Multi-project = 


For additional information on how to use Python shell commands for custom analysis, refer 
to the “Python Scripting Guide”, accessible from the Help menu. 


14.4. Exporting the file system 


Export the extracted file system to save the entire file system to the selected location on 
your computer. The save provides the physical files and folders structure saved in the same 


hierarchy as the original file system. 
To export the extracted file system: 


1. In the Tools menu, select Dump file system, or click Sp 
2. In the Browse For Folder dialog, select the target location to which to save the extracted 


file system. 
3. Click Make New Folder to create a new folder in the target location. 


4. Click OK to export the file system. 


14.5. Using the Android unlock pattern carver plug-in 


Use the Android Unlock Pattern Carver plug-in when working with Android devices where 


decoding is not yet supported. 


The Android Unlock Pattern Carver plug-in can decode unlock patterns on Android devices. 


The plug-in can be executed on the image file created by the UFED device, JTAG, chip-off, or 


other tools for which decoding is not yet supported. The image file can be all device 

partitions, or the user data partition only. 

1. Perform physical extraction using the UFED unit. 

2. In Physical Analyzer, open the Android physical extraction either by dragging and 
dropping, or by using the “Open Advanced” option. 


3. Run the Android Unlock Pattern Carver plug-in. For more information on running a plug- 


in, see Running a specific plug-in [on the previous page]. 


The unlock pattern is presented in the Extraction Summary tab Device Info area. 
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4. Unlock the Android device, and perform a physical or file system extraction using the 
UFED device. 


14.6. Android unlock password carver plug-in 


Physical Analyzer includes the Android Unlock Password Carver plug-in. The plug-in, 
developed by the CCL Forensics group and integrated into Physical Analyzer by Cellebrite, 
attempts to extract the unlock passwords from Android extractions. The plug-in can be found 


in the standard plug-ins list. 
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15. Settings 


The Settings window provides a set of functional and behavioral setup options used to fine- 
tune and control the functionality and usability of the application. The settings in the Settings 
window apply to all the projects open in Physical Analyzer. 


Changes to settings are lost when you close Physical Analyzer. To save the 


settings configuration, see Saving settings (on page 445). 


To access the Settings window: 


» Select Tools > Settings. 


15.1. General settings 


Set general application settings in the General Settings tab. 


@ settings - x 
Localization 


or Interface language: E English 


Translation language: Same as interface language 
General Settings Show translation by default 
Time zone 
Tl Always adjust timestamps to this time zone: (UTC+02:00) Jerusalem (Asia! 
øl Automatically adjust timestamps to UTC+0 


© Automatically adjust timestamps according to the device's time zone 


Data Files aa 
Prompt when device time zone detected 
Use daylight savings Daylight Saving Time ... 
RZ Duplicate rules 
essed Show main items only 


®© Show group of similar items (Group secondary items under main items) 


Show all items 


We Export 
9 csv 


Models Encoding UTF-16 
Separator Tab 
A Temp folder 
sey; Default Location: C:\Users\Cookies\AppData\Local\Temp\ Change 
Timeline Dictionary files 
Default Location: \\ptnas1\Home_Dirs\Cookies\Documents Change 


Image hash verification 


Automatically verify images on project load 


isaac Extractions 
Suggest restoring a session file when its corresponding extraction is loaded 
@ Save deleted files 


| (m) i @ Add '.DEL' extension for deleted files - 
[Boot || moot | ox | 


Additinnal Renart Fielde 
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Localization 


To set the interface language of Physical Analyzer: 


» In the Localization area, in the Language list, select the desired interface language. 


To set the translation language: 


1. In the Localization area, select the Translation language. That is the language to which 
you want to translate the text. You can only select one Translation language. To request 
additional translation languages, select Get more languages. 

2. Select the Show translation language by default check box to display translations by 
default. Clear this check box so that the translation will not appear when you translate 
text. To see the translation select View translated. 


The Smart Translator automatic language detection check box is 
selected by default and automatically identifies the Smart Translator 


language to which you want to translate. To manually select the Smart 
Translator language, clear the check box. 


Time zone 


To shift timestamps and enable daylight saving time: 


1. In the Time zone area, from the Time zone settings (UTC) list, select one of the time 
zones (UTC -11:00 to UTC +14:00) to recalculate network-defined timestamps according 
to the time zone offset. 


2. Select the Automatically adjust timestamps to UTC+0 check box, to automatically adjust 
timestamps to UTC+0. This setting is recommended when working on multiple extractions 
so that all records will be presented according to the same adjusted time zone offset. 


This check box is selected by default, but is disabled if the Always 


adjust timestamps to this time zone check box is selected. 


3. To automatically adjust timestamps to the device's time zone, select the Automatically 
adjust timestamps according to the device's time zone check box. When this check box is 
selected, all timestamps will be adjusted to the mobile device time zone, including report 


outputs. 
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If the time zone of the device is identified during decoding, then a 


message is displayed allowing you to adjust all extractions to the 
devices time zone. 


4. To enable the daylight saving time, select the Use daylight savings check box. 

5. To change the start and end dates for daylight saving time, click Daylight Saving Time. For 
more information on how to change the time zone settings, see Setting a unified time 
zone for the project [on page 445). 


To use the device's time zone if detected: 
» In the Time zone area, make sure that the Prompt when device time zone detected check 


box is selected. 


Multiple extractions 


To change the multiple extraction settings: 


1. In the Multiple extractions area, select the Open a UFDX file check box to open multiple 
extractions as a single project. If this check box is not selected all extractions will be 
opened as Independent extractions. By default, this check box is selected. 


2. Inthe Multiple extractions area, select the Remove duplicates check box to eliminate 
deduplications (duplicate or redundant information) in the project. Clear this check box to 
show the deduplications in the project. By default this check box is not selected. 


To merge or group items: 
» In the Multiple extractions area, make sure that the Merge check box is selected. This 
option is relevant to both decoding and reporting. 


Export 


To set the encoding and separator of exported CSV files: 
1. In the Export area, select the desired encoding option from the Encoding list. 


2. Select the desired separator in the Separator list 
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Temp folder 


To set the temp folder location to be used: 


1. In the Temp folder area, click Change. 
2. Select the temp folder location. 
3. Click Select folder. 


If the selected folder is deleted or inaccessible at any given time, an 
automatic fallback to the Windows default temp folder will be performed. 


You will then need to re-select the folder or a new path as necessary. 


Dictionary files 


To change the default location of the dictionary files: 


» In the Dictionary files area, click Change and select a new location to be used when 
creating dictionaries. 


Chapter 15: 424 
$$$ $_____ LLL 


Image hash verification 


To automatically verify images on project load: 
» In the Image hash verification area, Select the Automatically verify images on project load 


check box. 


Extractions 


To offer to load a session file (that was saved in the folder where the extraction is 
located) when opening its corresponding extraction: 


» Inthe Extractions area, select Suggest restoring a session file when its corresponding 
extraction is loaded. 


To set how deleted files are handled: 


1. In the Extractions area, select the Save deleted files check box to save deleted files. 


2. Select the Add '.DEL' extension for deleted files check box to save deleted files with the 
* DEL extension. 


Thumbnail cache 


To set the number of extractions for the cached thumbnails in a project: 

>» Inthe Thumbnails area, select the number of extractions from 5 to 20. The default is 10. 
If you do not want to save the cached thumbnails: 

» In the Thumbnails area, clear the Save cached thumbnails in project check box. 

If you do not want to load the thumbnail cache to memory [to conserve disk space): 


» In the Thumbnails area, clear the Load thumbnail cache to memory check box. 


Highlight information 


To disable information highlighting: 


» In the Highlight information area, select the Disable highlight information check box. 


To can change the default location for the highlights database files: 


» In the Highlights information area, click Change and select a new location to store the 
dedicated highlights databases [for memory ranges and highlights Information). This 
requires additional temporary disk storage [that will be automatically deleted once you 
close the application). 
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Views 
Selected entities are included in reports or results. 
To select all entities by default to be including in reports, for all views: 


» In the Views area, select the Check all entities by default check box. 

To remove cloud data sources from results: 

» In the Views area, clear the Display cloud data source results check box. 
To disable the What's new page: 


>» Inthe Views area, select the Disable What's new check box. 

Data enrichment 

Enable or disable the conversion of BSSID values and cell towers to physical locations. 
To convert BSSID and cell tower values to physical locations: 

» Select the Convert BSSID values [wireless network) to physical locations check box. 


To set the BSSID window to appear: 


» Select the Show the Convert BSSID (wireless networks) and cell tower values window 
check box. The window will appear upon startup. 


» Select the Show the Export BSSID [wireless networks) and cell tower values window 
check box. The window will appear upon opening a relevant extraction. 


Map 


To display maps for extractions with location data: 
>» Inthe Map area, select the Use maps check box. 
To use the offline maps option: 


» In the Map area, select the Use offline maps check box. 
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Decoding 


To recover deleted data from Android devices via carving: 


» In the Decoding area, select the Recover deleted data for Android devices via carving 
from unallocated space check box. 


To remove items that were detected as false positives during carving: 


» In the Decoding area, select the Automatically remove items that are detected as false 
positive check box. 


To enable the deep carving to recover deleted records from SQLite files: 


» Inthe Decoding area, select the Use deep carving for SQLite check box. 


The SQLite file includes three types of pages: Allocated pages includes 
intact records, and some deleted data for a specific table, Deleted 
pages includes deleted or duplicate records, for a specific table, and 
Lost pages includes all types of data, including deleted records, but the 
original table of these records is unknown. 


SQLite deep carving recovers data from the Lost pages, and because of 
the amount of data this is a memory-based and a time consuming 
process. However, the user data is usually stored in Allocated and 
Deleted pages, and even if you do not use this option, you will receive 
most of the data. 


To recover data from archive files: 


» Inthe Decoding area, select the Recover data from archive files check box. 


S) This setting enables you to decode and process data from archive [zip] 
files, but requires additional decoding time. 


To aggregate significant iOS locations: 


» In the Decoding area, select the Aggregate significant locations (IOS) check box. 


When this setting is selected, Physical Analyzer can decode and display 
these locations. However, significant locations can be recovered only 


when performing full file system extractions of an iOS device using 
Cellebrite Advanced Services. 


To enable AppGenie for all Installed Applications categories: 


» In the Decoding area, select the Enable AppGenie on all app categories check box. 
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To parse FTS content from WeChat: 


» Inthe Decoding area, select the Parse FTS content from WeChat check box. 


This setting controls the decoding of fts_messages.db which brings 
another source of data for WeChat app. This will give the potential to 
recover deleted and missing WeChat records and can bring duplications. 


To control the number of duplicates, unselect the Parse FTS content from 
WeChat check box. 


Network 


To disable network traffic (for example, will not check for new software versions): 


>> In the Network area, clear the Disable network traffic check box. 


To enable Internet access for apps in the Virtual Analyzer: 
Hash set 


To move a hash set to another location: 


» Inthe Hash set area, click Change and select a new location for the hash set. 


For more information on hash sets, see Importing and categorizing hash sets [on 
page 152). 


To allow manual tags from a particular VIC/CAID category: 


» Select the required category. The options are Project VIC US (default), UK/CAID, or 
Project VIC CA (Canada). 
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15.2. Data files 


ra 


SO? 


S 


General Settings 


E 


Data Files 


N 


Hex Viewer 


D 
9 


Models 


Timeline 


[3t 


Interface 


E} 


Additional Report Fields 


le 


Data Files 


7] Tag all untagged files as "Uncategorized" 


7] Filter system images by default 


Active _ Description 


Extensions 


Signature Filter Tag As 


m Images *.jP9:*.jpeg;*.gif;*.png;*.bmp;*.wdp:*.tiff.*.tif;*.webp;*.wbmp;*.heic;*.heif 7 signatures |__ |image 
F Videos *.avi;*.mpg;*.wmv;".3gp;*.3g2;*.mp4;*.mov;*.m4v;*.mod;*.vob;*.mts;*.asf*.wel3 signatures Video 
bm;*.Ivi:*.mkv;*.mpeg:*hi ` 
z [Audio *.wav:*.mp3;".mid;” wma:".midi;".amr;".aac;".qcp;" imy;”.mmf" xmf:".m4a;".m|5 signatures | [Audio 
|4r-*.3ga;*.0gg;".caf;*.silk*.opus;”.tts;*.aif;*.aiff 
Text  txt:*xmi:*.htmi:*.csv;*.log 0 signatures Text 
> sqlite:*.sdf*.realm;*.db 3 signatures | [Database 


Configurations |*, 


plist;*.conf*.config 


1 signatures 


__ [Configuration] 


vi 
m Databases 
v| 
7 


Applications |".apk;".jar;".dex".so;".fbl;".dem;".gro;".odex".sis;" jad;".exe;".com 2 signatures |. [Application 
= [Documents —|*.doc;*.docx*.docm;*.pdfi*.xlsx*.xlsm;*.xlsb;*.xls;*.ods;* ppt" pptc”.odtwp |2 signatures Document 
s:*.xpsi*.dot;*.dobc*.dotm;*.xibc*.xitm;*.vsd;*.vsdx:*.mpp:*.mpt;*.mpx*.one 
7) ‘| Archives * zip;*.zipx:*.rar;*.tar;*.gzip;*.7zip;*.7z;*.dar.*.gz:*.arj 1 signatures Archives 
7) [Exchange +, pst:*.eml;*.emlx*.msg 1 signatures |. [Exchange 
J] [Shortcut "Ink 1 signatures |__[Shortcut 
Restore Default olx 
5 | Export... Import... | OK Cancel 


The Data Files settings determine the different file and tagging groups under the Data Files 
and Tags tree items, and the types of files filtered in each group. 


Tags and filters 


» Select to automatically tag untagged files as “Uncategorized.” 


» Select to filter system images by default. 


Data file settings 


Every data file record contains the following settings: 


under the Data files tree item. 


>> 
in the project tree. 
>> 
» 
» 
this group. 
» 


in the project tree. 


Active - Indicates whether to display (checked) or hide (unchecked) this group of data files 
Description - A descriptive name for the type of data files to be used as the group name 


Extensions - The file extensions to be used to filter the data files of this group. 
Signature filter - The header and/or footer signatures to be used to filter the data files of 


Tag As - The tag name to be applied to the data file and used to list the files under Tags 
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15.2.1. Data files filtering methods 


Groups can be filtered using one or more of the following methods: 


» Signature filter: A signature filter is a definition of the file header and/or footer to be 
searched, In order to detect a file type and associate it with a specific Date File group. 
The header and/or footer can be configured in a defined range from the beginning and 
end of the file respectively by using the offset parameter. 

For example, a JPEG image starts with the header FF D8 FF and ends with the footer FF 
D9. Entering this information in the Header and Footer fields of the signature creates a 
Signature that identifies JPEG images. 


» Extension filter: An extension filter is a list of common file extensions that are associated 
with file formats that belong to the specific data file group. 
For example, the different image file formats can be filtered by the file extensions *.jpg, 
* jpeg, *.gif, *.png or *.bmp. 


15.2.2. Managing data files settings 
Add new types of data files, and edit and delete existing data file types. 


15.2.2.1. Adding a new data file type 


1. In the Data Files settings, click oj 
A new row is added to the list. 


2. Select Active to display the added data type in the Data Type tree item. 
3. Click in the new row's Description box, and type a file type description. 


4. If applicable, in the Extensions box, enter the file extensions commonly used by your data 
file type in the format *.xxx, and separated by ;. 


9. If applicable, in the Signature filter box, click B and do any of the following: 


Use Name Header Footer 
JPG Files \xDE\xAD \xBE\xEF 
PNG Files \x89PNG \xBE\xEF 
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» Click us}. add a filtering signature that identifies your data file type. 
» Click 7 to edit an existing signature filter. 
» Click x% to delete a signature filter. 
6. lf applicable, click in the Tag As box, click and select a tag name from the list. 


7. To change the order of the data file types, use the arrows ilt) 
8. To clear the list of data file types you added, leaving only the default types, click Restore 


default. 
15.2.2.2. Editing an existing data file record 
1. Click the row of the data file type that you want to edit. 


2. Double-click in the column and row that you want to change, and update the existing 
settings as desired. 


15.2.2.3. Deleting a data file type 
1. Click the row of the data file type that you want to delete. 


2. Click (9% 
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15.3. Hex viewer 


The Hex Viewer setting enables you to control the display options of Hex extractions to suit 
personal preference and enhance readability. 


A -Hex 
v| Show address Base format for selection: Hex 
sak 
208 V| Show ASCII view 
General Settings “| Draw separation lines 
Display 0x00 and OxFF string data as space Font: Courier New 
1 Color settings 
5j | y General -Application — 
Data Files Background: y| Tag background: m- | 
Address text: |<) 29 text: x| 
a Hex text: || Highlight background: | 
SA ASCII text: = x| Highlight text: =z x| 
Separating lines: File chunk background: ~ 
Hex Viewer — = 3 
Selection = File chunk text: |i 
Background: GMM | ~ | Selected file chunk background: | x| 
Text: |=) Selected file chunk text: x| 
Models 
8 
Timeline 
$? 
Interface 
lo i 
Additional Report Fields 
3 Export... Import... OK Cancel 


Change the defaults for the following Hex viewer settings: 


» Show address - Show/Hide the line numbers column of the Hex Viewer. 
» Show ASCII view - Show/Hide the ASCII view column of the Hex Viewer. 


» Draw separation lines - Show/Hide the separation lines between the address, Hex data, 
and ASCII view columns 


>» Display 0x00 and OxFF string data as space - Set the string data to display both 0x00 and 
OxFF characters as space instead ofa “.”. 


» Base format for selection - The line numbers format (Decimal, Hex, or Both). 
» Font - The font used to display the information. 
» Color settings - Set the colors applied to different features of the Hex viewer. 
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15.4. Models 


Set the color schemes to be applied to various types of device data. 


You can also manage project colors, or enable or disable the Projects color feature. With this 
feature, each project tab is displayed with its color and icon [excluding the Welcome page 
tab). The color and the icon signify to which project and information type the tab is related. 


^A | Phone 
Type: 
nl ye Phone number | 
$08 Background color: [|B 
General Settings Text color: [IM] 
Projects Color 
>) Y] Enable Colors Per Project 
[eal First: B 
Data Files Second: B 
Third | & 
S Fourth | 
E Fifth: [x 
Hex Viewer = EI 
Sixth: __ E 
Seventh: g 
3 Eighth: | i 
Models Ninth: E) 
Timeline 
$? 
Interface 
Ei 
L 
Additional Report Fields 
3 | Export... Import... | OK Cancel E| 
v 


To set the color schemes to be applied to various types of device data: 
1. In the Type list, select the data type. 

2. Inthe Background color list, select the desired background color. 

3. In the Text color list, select the desired background color. 

To turn off project color schemes: 


» Clear the Enable colors per project check box. 


To change a project's color scheme: 


» Select the desired color for the first to the tenth project. 
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15.5. Timeline 


a 
Data files display in timeline 
ge Timestamp fields 


Show all 
General Settings 


Created (V| Captured Modified Accessed Deleted 


E Data files type 

a 7] Show all 

Data Files [V] Image [V] Audio [V] Video 
<> Activities 

YZ 


Show activities 


Show device events 


Additional Report Fields 


lè A soot [C moot. a 


The Timeline settings enables you to control what you see in the timeline. 


Timestamp fields 


Choose which timestamps to display in the timeline: All, Created, Captured, Modified, 
Accessed, Deleted. Only Captured is selected by default. 


Data files type 


Choose which types of data files to display in the timeline: All, Image, Audio, Video. All types 
are selected by default. 


Activities 


Choose if activities are displayed in the timeline. This option is selected by default. 
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15.6. Interface 


Set a theme for Physical Analyzer, either light or dark interface. 


@ Settings - x 


^ Themes colors 


Sy 


Dark (Default Light 


i 
General Settings Eo 


Data Files 


Sh 


G iO 


Models 


E = 
< š t ox Ao ooe 


Changing the interface configuration settings, will cause the application to 


close and then restart. 
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15.7. Additional report fields 


^ @ Add New | Ê Restore default settings 


$08 Name Required Type DefaultValue 


General Settings Examiner name ] Yes String 7 


. 


Department Yes String 
ail 
[|p Location Yes String I 
Data Files 


Hex Viewer 


Models 


© 


Timeline 


chi 


Interface 


Po 


Additional Report Fields 


3 J | Export... Import... OK Cancel 


Optional information is user-defined information presented at the beginning of the report. It 
usually includes information about the case, investigator, and organization details. 


Every optional information record consists of the following: 


Name The name of the report field. 
Required Indicates if the field must be filled in order to generate the report. 
Type The types of entry - String or List. 


Default value Default content. 
You can add new report fields, and edit and delete fields, as desired. 


15.7.1. Adding a new report field 
1. Click Add New. 


A new row is added to the table. 


In the Name column, enter the name label to be displayed. 
Select Required if this field must be filled in order for the user to generate the report. 
In the Type list, select one of the following: 
>» String for text entry fields 
» List for a specified list of options 
5. In the Default Value box, set the default content: 
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>» For String type, type the default string. For a multi-line string, click 7 , enter the 
default string in the Option Editor, then click Save. 


Edit the default value text 


Cancel Save 


» Fora List type, click L) enter the list items with each item on a separate line, then 
click Save. 


15.7.2. Editing a report field 


» To edit a report field, perform steps 2-5 of Adding a new report field (on the previous 
page), changing the parameters to suit your needs. 


15.7.3. Deleting a report field 
x 


>» To delete a report field, click 
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15.8. Report defaults 


The Report Defaults settings enable you to edit the report presentation. 


^ Default folder 


> 


9) [CK Work | Browse 
Models 
Output Image format (iOS): 
Q HEIC (default iOS format) / webp * 
. Default sorting 
Timeline 


Calculate SHA-2 (256 bit) hash 


BI [] Calculate MD5 (128 bit) hash 

Interface Include translations 

E Include merged items (analyzed data) 
a! 


Include source info indication 


Include merged items (data files) 
© [] Include Cellebrite Reader 
Report Defaults Include system images 


™@ Include account package 
o+-o [| Include enrichments 
CMS connection 
Hide extraction source indication 
PP [7] Include Thumbnail Cache 


Post-chain Plugins Disable promotions in Cellebrite Reader 


[V] Full size images (screen capture) 


a || mo a e 
È 


Scroll down to see all the fields. 


» Inthe Report type list, select the report type that you want to edit. 
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General settings 


»> 


>> 


»> 


>> 


»> 


>> 


» 


»> 


>> 


»> 
>> 
»> 
»> 
>> 


» 


>> 


Default folder - enter the path to the folder where you want to save reports you generate 
for this report type. 

Select Default sorting to set sort the items included in the generated report according to 
the default sorting set by Cellebrite for each of the Analyzed and Data file types or clear 
Default sorting to sort the items according to the selected sorting field and the sorting 
order [ascending or descending) that was set by the user in each of the data display 
tables. 

Calculate SHA-2 (256 bit) hash and Calculate MD5 (128 bit hash) - Select which calculated 
MD5 and SHA256 hash keys to add to each Data Files item in the generated report. Do 
not select these options to shorten the report generation process of large projects. 
Include translations - Select to include any translated text in the report. 


Include merged items [analyzed data) - Select to include merged data from the Analyzed 
Data area. 

Include merged items (data files) - Select to include merged data from the Data Files 
area. 

Include Reader - Select to share UFDR reports with authorized persons using the 
Reader. This option is for the UFDR format only. The Reader executable will then be 
included within the report output folder. 

Include system images - Select to include system images [images that come with the 
device or as part of an app installation] as well as non-system images. 


Include account package - Select to include an account package with user credentials, 
which can be used by UFED Cloud. 


Include enrichments - Select to include BSSID enrichment data. 

Hide extraction source indication - Select to hide the source file information. 
Include Thumbnail Cache - Select to include the thumbail cache. 

Disable promotions in Reader - Select to disable promotions in Cellebrite Reader. 


Full size images (screen capture) - Select to include full size images from the Screen 
capture tool. 


Include chat bubbles - Select to include the chat bubbles of the conversation in the 
report. Select Include metadata in chat bubbles to include the metadata. 


Disable models categorization - select to disable the separation and generate a report in 
which every data items is generated as a single section without subcategories separation. 
By default, a categorized report in which each category in the data items group is 
generated as a separate section in the report is generated. For example, when 
generating a report with Call logs, select the check box to generate the Call logs as a 
single list, or clear the check box to break it to a separate list for each category of Call 
logs. 
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For Excel reports, set the following: 


>> 


>> 


>> 


>> 


Unprintable characters placeholder - Set the placeholder character to replace the 
unprintable characters. 

Output File Format - Set the output file format of the spreadsheet file to either: 

* XLSX - The current Excel file format. 

* XLS - The legacy file format of Excel. 

* ODS - The spread file format of OpenOffice. 

The excel report is compatible with OpenOffice - Select to ensure the Excel report can 
be opened in OpenOffice. 


Generate Contact Identification Data - Select to add a sheet to the Excel report that 
provides a list of unique contacts based on type. 


For HTML reports, set the following: 


> 


>> 


>> 


>> 
>> 


Logo Header - Enter and format custom text to appear in the report header before the 
logo image. 

Logo - Click Select Image File to add the logo image to appear in the report header. 
Supported file formats are: BMP, JPG, GIF, and PNG. 

Logo Footer - Enter and format custom text to appear in the report footer after the 
logo image. 

Show totals for items not in the report - Add a Total column to the report that displays 
the total number of items that were excluded from the report. 


Show extended deleted state - Include the state (Intact, Deleted, or Unknown] of 
deleted items in the generated report. When not selected, logs only the state of deleted 
items as Yes, and is left empty for other states. 


Number of lines for email preview - Set the maximum number of lines from each email 
message to appear in the report. 


Display full email body - Display the entire message body. 


Number of messages per chat - Set the maximum number of lines per chat message 
to appear in the report. 


Display all chat messages - Display all chat messages in the report. 
Split HTML report - Set each section of the report to start on a new page. 


Chapter 15: 440 


For PDF reports, set the following: 


>> 


>> 


> 


>> 


>> 


>> 


>> 
>> 


>> 


Logo Header - Enter and format custom text to appear in the report header before the 
logo image. 

Logo - Click Select Image File to add the logo image to appear in the report header. 
Supported file formats are: BMP, JPG, GIF, and PNG. 

Logo Footer - Enter and format custom text to appear in the report footer after the 
logo image. 

Show totals for items not in the report - Add a Total column to the report that displays 
the total number of items that were excluded from the report. 


Show extended deleted state - Include the state (Intact, Deleted, or Unknown] of 
deleted items in the generated report. When not selected, logs only the state of deleted 
items as Yes, and is left empty for other states. 


Number of lines for email preview - Set the maximum number of lines from each email 
message to appear in the report. 


Display full email body - Display the entire message body. 


Number of messages per chat - Set the maximum number of lines per chat message 
to appear in the report. 


Display all chat messages - Display all chat messages in the report. 


For Word reports, set the following: 


>> 


>> 


>> 


>> 


>> 


> 


>> 
>> 


>> 


Logo Header - Enter and format custom text to appear in the report header before the 
logo image. 

Logo - Click Select Image File to add the logo image to appear in the report header. 
Supported file formats are: BMP, JPG, GIF, and PNG. 

Logo Footer - Enter and format custom text to appear in the report footer after the 
logo image. 

Show totals for items not in the report - Add a Total column to the report that displays 
the total number of items that were excluded from the report. 


Show extended deleted state - Include the state (Intact, Deleted, or Unknown] of 
deleted items in the generated report. When not selected, logs only the state of deleted 
items as Yes, and is left empty for other states. 


Number of lines for email preview - Set the maximum number of lines from each email 
message to appear in the report. The report includes links to text files containing the 
entire email. 


Display full email body - Set to display the entire message body. 


Number of messages per chat - Set the maximum number of lines per chat message 
to appear in the report. 


Display all chat messages - Display all chat messages in the report. 
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15.9. Cellebrite Commander 


Agencies that have several Physical Analyzer units, dispersed across single or multiple 
locations, can now easily and conveniently oversee and manage the distribution of software 
licenses and updates using Cellebrite Commander. 


Cellebrite Commander is an ideal solution for organizations that want to govern internal 
processes and centralize the management of software updates across all deployed systems, 
leveraging usage and manpower. The Cellebrite Commander can be used to gather insights 
and usage data to help optimize planning. 


Physical Analyzer together with Cellebrite Commander provides agencies with: 


» One-click connectivity between Cellebrite Commander€-—> Physical Analyzer 
» 24/7 remote assistance by Cellebrite Commander Admin 

» Software Upgrade management capabilities 

» Central license management 

» Reporting on iOS extractions 


» Live status of Physical Analyzer units (Connected/not, updated/not) 
To connect a Physical Analyzer to Cellebrite Commander: 
1. Go to Tools > Settings > Cellebrite Commander connection. 

Or 

Help > Show license details > Cellebrite Commander (tab). 


The following window appears. 
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fe 


Settings 


G 


Timeline 


Interface 


E) 


Additional Report Fields 


[è 


Report Defaults 


El 
gto 


Cellebrite Commander connectic 


A 


Post-chain Plugins 


^ Cellebrite Commander server connection 


Managed connection (Cellebrite Commander) © Unmanaged connection 


Type Cellebrite Commander server name or IP address and check the connection 


Server name or IP: 


PA station name:(optional) 


~“ eot O moot. ae 
> 


Select Managed connection. 


Enter the 


When set to the managed connection, Physical Analyzer will be 
managed by Cellebrite Commander, including centralized version 
management. 


Fully Qualified Domain Name (FQDN). 


Click Check connection. If the validation is successful, the status changes to Connected to 
Cellebrite Commander and Cellebrite Commander is indicated at the top of the screen. 


Click Save. 


The license is validated against the license that exists in Cellebrite 


Commander, and any changes are taken from Cellebrite Commander. 
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15.10. Post-chain plugin 


Add and remove plug-ins from the list of plug-ins that automatically run when you open a 
project. This can be useful when you have time constraints or large extraction files. These 
settings enable you to define whether or not to run certain plug-ins. 


^ Add Plugins Filter: 


Enabled Name Author Version Description 


5 v| ContactsCrossReference Cellebrite 2.0 Cross references the phone numbers in a device's contacts with the numbers in SH 
Models 


~& 
Timeline 


Lt 


Interface 


Ei 
Additional Report Fields 


Report Defaults 


gig 


CMS connection 


D 
A 
Post-chain Plugins 


< > 


¥ | Export... Import... | | OK Cancel J 


. To add a plug-in to the list, click Add Plugins and select a plug-in from the list. 


2. To remove a plug-in from the list of plug-ins that run automatically when you open a 
project, clear the check box in the Enabled column. 


3. To remove a plug-in from the list, select the plug-in and click Remove Plugins. 
4. To filter the plug-ins list, use the Filter box. 


The settings apply to subsequent projects opened in your current 
session. To save your configuration settings for use in subsequent 


sessions, see Saving settings [on the facing page). 
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15.11. Saving settings 


Save your settings to reuse later, or to share with another user. 


1. In the Settings window, click Save Configuration. 
2. In the Save As window, browse to the location where you want to save your settings 
configuration, and click Save. 


The settings are saved as a Physical Analyzer Settings Configuration File [*.cnf. 


15.12. Loading settings 


Load your saved settings configuration. 


1. In the Settings window, click Load Configuration. 
2. In the Open window, browse to the location where your settings configuration is saved, 
select the configuration (*.cnf), and click Open. 


The settings are applied in the Settings window. 


15.13. Setting project settings 


Set unified time zone and case information for each project. 


15.13.1. Setting a unified time zone for the project 


During extraction, one time stamp per event is extracted. 


For outgoing events, the time stamp is typically taken from one of the following sources: 


» User-defined device time [where the device time has been manually set by the user: 
timestamps are displayed without the unified time (UTC). 

» Network-defined device time (where the device time is automatically set by the network]: 
timestamps are displayed with the unified time (UTC). 


For incoming events, the time stamp is typically taken from the network-defined time (the 
time stamp assigned by the network]; timestamps are displayed with the unified time (UTC). 


Network-defined time stamps are subject to the time zones in which the event occurred. 


Apply a unified time zone to the project to recalculate all network-defined time stamps 
according to the selected time zone in order to consolidate the events and view them 
sequentially in Physical Analyzer. 
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To apply a unified time zone to the project: 


1. Do one of the following: 
>» In the project Extraction Summary tab, click Project settings. 
» Go to Tools > Project settings. 


iL Time zone 
@) 


Time zone settings (UTC) (Original UTC value M 


{¥] Use daylight savings Daylight Saving Time ... 


General Settings 


Case Information 


2. From the Time zone settings (UTC) list, select: 
» Original UTC value to show time stamps as recorded. 


» One of the time zones (UTC -12:00 to UTC +13:00) to recalculate network-defined time 
stamps according to the time zone offset. 


User-defined time stamps are not included in these recalculations, and 


are displayed as recorded. 


3. To enable or disable the daylight saving time, select or clear the Use daylight savings 
check box. 


4. To change the start and end dates for daylight saving time, click Daylight Saving Time. 
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| (UTC+00:00) Abidjan (Africa) 


Start 


Select a date 


Select a date 


Select a date 


Select a date 


Select a date 


Select a date 


Select a date 


Select a date 


Select a date 


Select a date 


CR} | GD} | ER) | GR) ER) | eR) | GR) | GR) | eR) | ER} | ed 


Select a date 


a. For the year that you want to change, use the calendar to select the start and end 


dates, or edit the dates directly. You can use the x button to remove certain years. 


b. Click Back to last saved data to reset the table to the last time that you saved the data, 
click Back to original data to return the table to its default settings, or click Save to 
save the table with any changes that you made. 


5. Click OK. 


The project is recalculated according to the selected unified time zone, and the new time 
zone is applied to the network-defined time stamps. Time stamps of events displayed in 
Physical Analyzer windows and any subsequently-generated reports reflect the selected 
unified time zone. 


15.13.2. Setting the case information 


Case information settings are saved with the project. The case number appears with the 
extraction information on the Welcome tab. 


1. Do one of the following: 
>» In the project Extraction Summary tab, click Project settings. 


» Click 2. 
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2. Go to Tools > Project settings. 


@ Add New É Restore default settings 


(@) 


Name Required DefaultValue 
General Settings 
Case number Yes 


Case name 


Case Information 
Evidence number 


Notes 


3. Click Add New. 
Some case information fields appear by default. 


4. Set the parameters for the default information fields: 


a. Inthe Name column, enter the relevant information [for example, case number, name, 
or notes). 


b. Select Required if this field must be filled. 

c. In the Type list, select one of the following: 
String for text entry fields 
List for a specified list of options 

d. Inthe Default Value box, set the default content: 


For String type, type the default string. For a multi-line string, click P enter the 
default string in the Option Editor, and then click OK. 


For a List type, click S, enter the list items with each item on a separate line, then 


click OK. 
5. To add more information fields, click Add New, and repeat step 3. 


6. To remove the custom entries, click o. 


7. To restore the default settings, click Restore default settings. 
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16. Menus 


This sections describes the menus and commands. 


File menu (on the next page] 
View menu (on page 451) 
Tools menu [on page 452) 
Extract menu [on page 454) 
Python menu [on page 455) 
Plug-ins menu [on page 456) 
Report menu (on page 457) 
Help menu [on page 458) 
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16.1. File menu 


Open 


Recent 


Add external 


file 


Add 


extraction to 


Save as 
UFDX 


Close tabs 


Close 


Save project 


session 


Load project 


session 


Exit 


Chapter 16: 


Open a file for analysis using the standard analysis process. 


Displays a list of recent projects. 


Include related artifacts in your case such as search warrants, additional images and relevant 


documents. See Adding external files (on page 77). 


Add an extraction to an open project. 


Save a multiple extraction project as a UFDX file. This file enables the unified project to be opened 


as a single project with all its extractions. 
Close all the tab windows for a Specific project. 


Closes the currently active project. 


Saves the active project information generated by the user as a Physical Analyzer Session File 
(*.pas]. See Saving a project session [on page 76). 


Loads a Physical Analyzer Session File [*.pas] onto an open project in the project tree. 


Closes the Physical Analyzer and all active sessions. 
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16.2. View menu 


Welcome screen | Displays the Welcome tab. See Welcome tab [on page 97). 


Trace window Show/hide the trace panel at the bottom of the data display area. 


16.2.1. Viewing the trace window 


Show the Trace window at the bottom of the data display area to view a log of the actions 
performed in your session by you or by Physical Analyzer, such as plug-in activation. 


1. Inthe View menu, select Trace window. 


The Trace window appears below the data display area. 


Trace window 

Clear 

Program Start 11-Sep-16 09:53:31 

Thumbnail cache size has been set to 300 MB 

Loading user layout: C:\Program Files\Cellebrite Mobile Synchronization\UFED Physical Analyzer\Layouts\layoutAlizaS.config 

Loading ufdx file: C:’\Users\alizas\Desktop\Samsung GSM GT-i9205 Samsung Galaxy Mega 6.3 2015_11 23 (003)\EvidenceCollection.ufdx 


Extraction was opened by UFED Physical Analyzer version 5.4.0.39 
Running plugin Pre Project (debug=False) 

Setting extraction info... 

Adding project processor... 

Plugin Pre Project finished, runtime: 00:00:00.04 

Running plugin MBRGeneric (debug=False) 


00000000000 


Parsina MBR for memory ranae; Image 


Loading file: C:\Users\alizas\Desktop\Samsung GSM GT-i9205 Samsung Galaxy Mega 6.3 2015_11_23 (003)\Physical Boot Loader (Recommended) 01\Sams! 


2. To clear the log, in the Trace window, click Clear. 


3. To close the Trace window, click X. 
The Trace window can be hidden or displayed. 


» To pin the Trace window open, click W. 
» To unpin the Trace window, click 3. 


>» To view the Trace window when hidden, select or mouse over the tab. 
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16.3. Tools menu 


Read Data 
from UFED 


Extraction file 
system 


Get more data 
(Carving) 


Export 
account 
package 


Watch list 


Malware 
scanner 


Translation 


Offline maps 


Enrichment 
of BSSID and 
cell IDs 


SQLite wizard 


TomTom 


Run fuzzy 
model plugin 


Chapter 16: 
a ttt 


Enables data extraction directly to the computer. 


Exports and saves the parsed file system to actual files and folders in a directory structure. See 


Exporting the file system [on page 419). 


Carve images: Opens the Carve Images window from where you can scan for images. See 


Carving images (on page 357). 


Carve strings: Opens the Carve Strings window from where you can scan for strings. 


Carve locations: Carve locations from unallocated space and unsupported databases. See Carving 
locations (on page 361). 


Extract an account package, which contains user credentials that can be imported into UFED 
Cloud . 


Watch List Editor: Opens the Watch List Editor, from where you can create, manage, and run 


your watch lists. See Accessing conversation view [on page 142). 
Run Watch Lists on Active Projects: Displays a list of active projects, from where you can apply 
watch lists. 


Hash set manager: Compare the MDS hash sets of image and video files in an extraction to 


databases of known and blacklisted files. See Importing and categorizing hash sets (on page 152). 
Export hash database: Create an export file that includes a hash of offending photos that you can 


share with project VIC and CAID. See Exporting the hash database (on page 163). 


Opens the Malware scanner sub-menu, from where you can run malware detection on your 


extraction, and update the signature database. See Scanning for malware [on page 29). 


Downloads the translation pack from the Internet, installs the translation pack from a file, or 


displays the supported languages. See Translating decoded data (on page 191). 


Installs offline map packages. See Viewing offline maps (on page 174). 


Opens the Enrichment database sub-menu, from where you can install the database, import and 
export XML files with BSSID and cell tower data, as well as online enrichment. See Enrichment 


of BSSID and cell IDs (on page 178). 


Opens the SQLite wizard sub-menu, from where you can open the SQLite wizard or select a 


SQLite database. See SQLite wizard [on page 307). 


Opens the TomTom sub-menu, from where you can export the TomTom extraction file and 


import the returned xml file. See Working with TomTom [on page 334). 


Identify new data sources, handle and parse unknown databases. See Fuzzy models [on page 330). 
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Virtual Use the Virtual Analyzer to recover data from unsupported apps, view your data as if you were 


Analyzer using the owner's device and validate decoded artifacts. See Virtual Analyzer {on page 288). 


A research tool that provides additional app data such as Contacts, User accounts and Chats. 


AppGenie ; 
SeeAppGenie [on page 285). 


Manage tags | Opens the Manage tags window. See Tags [on page 167). 


Manage public Create avatars to extract and preserve public domain, forensically sound data in one workflow. 


domain You can enrich your extracted data sources, and quickly reveal evidence hiding in plain sight on 

avatars Facebook, Instagram and Twitter. See Accessing public data (on page 300). 

rats Create alphanumeric files with all the words in a decoded project. See Generating dictionary files 
ictionary 

files (on page 333). 

Settings Opens the application settings window. See Settings. 

Project Set unified time zone and case information for each project. See Setting project settings (on 

settings page 445). 


16.4. Cloud menu 


Starts the UFED Cloud case wizard to extract private data 


from cloud data sources. See, Extracting private cloud 
account data [on page 208). 


Extraction > Private 
cloud data 


Starts the UFED Cloud case wizard to extract public data 
Extraction > Public cloud . ‘ 
from cloud data sources. See, Extracting public cloud 


data 
account data [on page 234). 
Manage avatars Manage public domain avatars. 
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16.5. Extract menu 


iOS device Starts iOS device extraction to perform extractions from iOS devices. See Extraction from iOS 
extraction devices [on page 269] 
Extract 


Reads and saves data from GPS and mass storage devices connected to the workstation via 


GPS i . : 
/mass USB connection. See Reading data from a GPS or mass storage device [on page 278). 


storage device 
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16.6. Python menu 


Opens the Python shell window for user customer analysis using Python commands. See Using the 
Python shell [on page 418). For additional information on how to use Python shell commands for 
custom analysis, refer to the "Python Scripting Guide", accessible from the Help menu. 


Python 
shell 


Run script | Runs a pre-written Python script (*.py file). 


Run script 
(debug Enables you to run a pre-written Python script (*.py file] in debug mode. 
enabled) 
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16.7. Plug-ins menu 


Add/remove Displays the list of pre-installed plug-ins to enable management of the currently installed plug- 
plug-ins ins. See Managing plug-ins {on page 416). 
Run plug-in Enables you to select a specific plug-in and run it. See Running a specific plug-in {on page 418). 
Chain Displays the Chain manager window to enable management and creation of device processing 
manager chains. See Managing chains (on page 404). 
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16.8. Report menu 


Generates a report summary of all information found by the analysis process. See Generating 


Cenermte REPO a report (on page 257). 


Generate 


a Generates an ‘at a glance’ intelligence report that includes parsed device information and 
preliminary 


A user account information. See Generating a Preliminary device report {on page 268). 
device report 
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16.9. Help menu 


s ted Lists the supported applications and verified versions for Android, BlackBerry, iOS, and 
ibe eve qe Windows Phone devices. 


Manual Opens the user manual. 


Check for new 


i Check for new software version if connected to the Internet. 
version 


Python shell 


Cernig quite Opens the Python Scripting Guide in PDF format. 


View promotion Displays information about the UFED Cloud application and the translation feature. 


Learn more Displays our latest capabilities and learn about other features. 


Displays the current software or hardware [dongle] license information, and enables you to: 


»» Activate or load a new license (software or dongle] 


N ene >> Display information about previous dongles that were connected to this workstation 


details 
»> Deactivate a software license 
»» Get direct access via email to Cellebrite support and sales 
Zip log files Zips the log files and opens the folder where the zipped log files are saved. 


Zip log Tiles with Zips the log files and includes detailed information about the operating system, drivers, 


aa : application data, event logs etc. This information can be used to analyze report cases. 
information 
License 
Opens the software license agreement. 
agreement 
About Provides information about the installed Physical Analyzer version. 
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17. Glossary 


A 


Account package 


An export file in .ucae format that contains user credentials, tokens or cookies, that 
can be imported and used to authenticate cloud accounts. An account package can 


be exported from Physical Analyzer, Cloud Login Collector and more. 


Advanced logical extraction 


An extraction method that combines both the logical and file system extractions into 
a single extraction method. This method helps users overcome the pain of long and 
convoluted extractions, saving time and effort while maintaining forensically sound 


data. 


apk 
Android application package file. Each Android application is compiled and packaged 
in a single file that includes all of the application's code [.dex files], resources, 
assets, and manifest file. 

Apple File Conduit 
AFC2. A service that is used by computer applications such as iTunes and iPhoto to 
read files from a device over USB. 

Avatar 


A social media profile that you can use to extract public data. Note: Avatars are 


public profiles, and as such, are exposed to public review. 
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C 


CAID 


Child Abuse Image Database. CAID sources images from police and NCA. Images 
are assigned unique identifiers - called hashes - and metadata. If CAID hashes 


appear in a case, they may indicate child abuse and/or exploitation. 


Carve locations 


Decodes additional location data from unallocated space and unsupported 


databases. 


Carving 


The process of finding data contained within the hexadecimal code, apart from what 
the forensic software has automatically offered. Carving can become necessary when 
the forensic tool parses data from unsupported apps, with deleted data including 


images, and other situations with file system and physical extractions. 


CAS 


Cellebrite Advanced Services (CAS) offers customers the ability to recover valuable 


evidence from heavily damaged, locked or encrypted devices. 


Cellebrite Commander 


Simplify how you manage and control all deployed devices and systems with the 
Cellebrite Commander. Reduce ongoing administration costs by remotely accessing 


devices and systems across your operation. 


Cellebrite Pathfinder 


Cellebrite Pathfinder is designed to afford users with the greatest opportunity 
currently possible to complete a near encyclopedic review of Big Data collections. 
Cellebrite Pathfinder is available in two versions: Desktop and Enterprise. The user- 
interface of each Cellebrite Pathfinder version is modeled to complete extensive 


reviews in a reduced time factor. 
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Cellebrite Reader 


An application designed to allow users to view and share analysis reports with other 


authorized personnel, such as colleagues, other investigators, and attorneys. 


Cellebrite UFED 4PC 


Enables users to deploy extraction capabilities on Windows based tablets, laptops, 
and desktop computer systems. It performs physical, logical, file system and 


password extractions on a wide range of devices. 


Cellebrite UFED Touch 


Enables the simplified extraction of mobile device data. Depending on the license 
purchased, it performs physical, logical, file system and password extractions ona 


wide range of devices. 


Chain 


A chain is a set of plug-ins grouped together, which is used to process the extracted 
data of a device. Each device in the supported devices list of the application has a 
predefined parsing chain assigned to it. As part of its building blocks, a chain can 


also include other predefined chains. 


Common/Known Image Filter 


As part of the decoding process, UFED Physical Analyzer can calculate hash values of 
any extracted data file, particularly for media files. UFED Physical Analyzer 
automatically filters out common images. This saves time that would otherwise be 
Spent reviewing common media images that are device files, image icons or images 


that are part of an app’s Installation. 


D 


Data source 


The source of the extracted data [e.g., Facebook, Google Takeout, Dropbox). 
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Decoding 


The process of translating raw hexadecimal data into an easily readable format. An 
automatic process within applications such as Physical Analyzer, decoding renders 
data easier for the examiner to find and analyze. From file system and physical 
extractions, the examiner always has the option to examine hexadecimal code within 


the raw data. 


Dongle license 


Is a software copy protection device that plugs into the USB port of the computer. 
Upon startup, the application looks for the key and will run only if the key contains 


the appropriate code. 


Forensically sound 


Extracted data is said to be forensically sound if it was collected, analyzed, handled, 
and stored in a manner that is acceptable by the law, and there is reasonable 
evidence to prove so. Forensic soundness provides reasonable assurance that 
extracted data was not corrupted or destroyed during investigative processes, 


whether on purpose or by accident. 


G 


Geodistance 


The distance calculated between points which are defined by geographical 


coordinates in terms of latitude and longitude. 


GPU 


The Graphics Processing Unit (GPU) is a specialized processor that can rapidly 
execute commands for manipulating and displaying images. To boost media 
analytics speed in Analytics Desktop, It is recommended to add a GPU that matches 


or surpasses the minimum system requirements. 
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HashDB 


Upload hash databases to compare them against the hash values in your cases. 
Hash databases leverage the use of extremely large and high quality hash sets to 
identify and eliminate images and videos. Using hash sets, law enforcement 
agencies are pre-categorizing or identifying images as part of a first-time sweep of 
seized evidence. CSV and TXT files as well as Project VIC, CAID and National 


Software Reference Library (NSRL) database formats are supported. 


JTAG extraction 


JTAG (Joint Test Action Group) is an advanced method of data extraction that 
requires a forensic examiner to connect to the test access ports of the device to 
obtain a full physical image. This enables the examiner to unlock and gain access to 


the raw data stored on the memory chip. 


L 

Location 
Location data is drawn from different locations within the mobile device including 
Cell towers, WiFi networks, Harvested Cell towers, Harvested WiFi networks, Media 
locations, Favorites, Reminders, Home, Entered, TomTom, Foursquare, GpsFix, 
Recent, Frequent, Wireless networks 

M 

Markers 
Markers signify the location where a person's device registered. The color of the 
marker signifies which person was registered at a particular location. At a low zoom 
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level, markers show the approximate location, and may include the data of more 


than one person. 
0 
Owner 


The owner of the device that is the subject of the investigation. 
P 
Parties 


Participants in a conversation. For example, communications such as instant 


messaging, emails, etc. 


Physical/Logical Analyzer 


An analysis and reporting tool for logical, file system and physical extractions. This 
software solution provides users with the capability to extract data, perform 
advanced analysis, decoding and reporting and presenting the results in a clear and 


concise manner. 


Project tree 


The area in UFED Physical Analyzer Tthat displays the extracted information 


structure of each project opened for analysis. 


Project VIC 


An ecosystem of information and data sharing between domestic and international 
law enforcement agencies combating sexual exploitation of children. Project VIC 
aims to compile all existing online child abuse images into a single repository. Each 
image and video frame is tagged with a unique identifier known as a “hash value.” If 
a hash value from Project VIC appears in a case, it is an immediate indication that 


child sexual abuse may be involved. 


Glossary 464 


Public data 


Public activity on social media channels. UFED Cloud offers an option to capture 
public activity of a Facebook account or other popular apps. (Credentials not 


required.) 


R 


Rebuild cache 


Reconstructs webpages, from cache files. You can view websites content offline with 


content from the browser cache (when available). 


S 

SQLite database 
A database file format often used for data storage. Commonly used for storage of 
mobile and application data, but many smartphones may use .db files, .plists, and 
other file formats as well. 

SQLite wizard 
Visually decode additional data from databases, particularly from unfamiliar 
databases that were not decoded and may contain important case information. 

State 
State of a file indicates whether is was intact, deleted by the user or has an unknown 
status. 

T 

Tag 
An investigator can apply a tag to flag events for future reference. Each event can 
have multiple tags. Tags can be included in reports or used for filtering. 
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Tokens 


Username and password data as saved on a Windows computer. 


Two-factor authentication 


Referred to as two-step verification or dual factor authentication, is a security 
process in which the user provides two different authentication factors to verify 


themselves to better protect both the user's credentials and the resources the user 


can access. 
U 
UFDR 
Universal Forensic Extraction Device Report 
UFDX 
UFED generates a UFDX file when there are multiple extractions for a device. It 
contains information about each extraction 
UFED 


Universal Forensic Extraction Device 


Unallocated space 


The area ona device's memory outside the defined file system that is available to 
write data to. Very often, deleted data or fragments can be found and carved from 


unallocated space. 


V 


Virtual Analyzer 


The Virtual Analyzer enables you to view your data as if you were using the owner's 
device, validate decoded artifacts and recover data from unsupported apps. It 


requires an active UFED Physical Analyzer license. The Virtual Analyzer is based on 
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the Andy OS emulator, which is an external tool that simulates an Android device on 


your computer. 


W 
Watch lists 
A list of keywords used to comb data for important and relevant information. 
Supports wildcards. 
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Activating the license 24 c 
Adding a new data file type 430 CAID 152 
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Advanced decoding 14, 404 Carved images 359 


Advanced features 280 Carving images 357 


Ad d i f -UFED 
K AP TN ee Carving, generic 363 
extraction file 49 


Advanced opening of a UFED extraction AMU E Diyas 


file 42 Changing the decoding chain 45 
Android backup 243, 255 Chat bubbles 260, 439 


Android Unlock Password Carver plug- 
in 420 


Close tabs, unified project 72 


, Closing a project 79 
Android Unlock Pattern Carver plug- 


in 419 Constructing a new chain 406 
Application menu 81 Content tab 72, 98 
Attaching devices to a chain 409 Conversation view 137 
Avatar, public data 305 Creating a watch list 145 
B D 
Binary dump, adding 48 Data analysis 15 
BlackBerry backup files 339 Data display area 81,96 
Index 468 


Data files 90, 260, 429-430, 434 
Data files filtering methods 430 
Data sources 209 


Data tabs 106 


Database view 106, 112 


Decoding raw data 400 


Deep carving, recover deleted 
records 427 


Deleting a data file type 431 
Deleting a report field 437 
Deleting a watch list 148 
Detaching devices from a chain 411 
Detect false positives 427 

Device Locations 179, 182 

Device origin 172 

Dictionary files 333, 424, 453 
Dongle 22, 24-25 

Dongle license 25 


drone data 182 
E 


Editing a report field 437 
Editing a watch list 147 
Editing an existing chain 407 


Editing an existing data file record 431 
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Export options 80, 87, 114, 138, 142, 


147, 167, 180; 208, 233, 261, 328, 
334, 379, 381, 383, 386, 388-389, 
393, 395, 397, 399, 402, 423 


Export the hash 163 
Export, format 138 
Exporting a TomTom file 334 
Exporting a watch list 148 
Exporting the file system 419 
Extract files 

all, selected 231 
Extract menu 454 


Extracting data from a device witha 


complex password 276 


Extracting data from a device witha 


simple password 275 


Extraction from GPS or mass storage 
devices 277 


Extraction from iOS devices 269 
Extraction summary tab 98 


Extraction, rename 99 


F 
File Info tab 120 

File menu 450 

Files view 253 

Folder view 106, 111, 125, 131 


Fuzzy model 330 
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G Interface language 204, 267, 422 


General settings 163, 168, 175, 181, Introduction 14 


421, 439 
Investigation notes 266 
Getting started 33 


iPhone calendar events, year 1604 269 


Global search results, tagging 141 i 


GrayKey extractions 41 
JTAG 52, 70, 413, 419 
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H 


Legal notices 2 


Hash database 152 i 
Licensing 27, 191 


Hash values 76, 364 : , , 
Loading a project session 79 


Help 191, 370, 373, 419, 442, 455, 458 
Loading settings 445 


Help menu 458 
Locating a watch list 151 


Hex data information 401 
Locating and analyzing 


Hex view 90, 106, 112, 116, 118-119, information 135 


126,192,102, 379,098,400, 402 Locating specific data types in the 
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